Analysis Overview
SHA256
01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6
Threat Level: Known bad
The file 01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N was found to be: Known bad.
Malicious Activity Summary
simda
Modifies WinLogon for persistence
Simda family
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 07:26
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 07:26
Reported
2024-10-31 07:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dbd0784c = "ÁI–K•…\b\u009de…\x1fÅ‹\x1d|ú˜\x10”F(ói:}@¸rÓÒ™Ô‹¶ê\x1a\\Êã#ºÄ´Mûvbô+\x0e\x02ìCÃ\x1c¼Nk\x0el\r*„ÞNìk²\råëäeC\\Æ\x14½\x1c\x1ckcì›d»¼#TsÓ\x03›U\\¤\x1cþ’e\x1c¤<ëœ\\…컼ë•“’\x02Ö½³»[\v\"mC‚ÚV\x03«¥:ƒ¶\x04ƒS„„´»ý»Ô½Ü«üó\võtóæ\x16\x1dÅ\x02s½ü*ëTå\x14Œ\rDìÌê4T*úÒBƒ+v£¬+ƒ4üÔª‹£+ƒ£;¼»ÝDkÓ+³þ‹\x13D\\¾4Û\x1bcó\x05++Cö[ÓžÚ;S³îk®†Ì5û…\x13«“¼kB^T\x1bD£ÓudKÓEäSlk,›\x13ÔÃ" | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dbd0784c = "ÁI–K•…\b\u009de…\x1fÅ‹\x1d|ú˜\x10”F(ói:}@¸rÓÒ™Ô‹¶ê\x1a\\Êã#ºÄ´Mûvbô+\x0e\x02ìCÃ\x1c¼Nk\x0el\r*„ÞNìk²\råëäeC\\Æ\x14½\x1c\x1ckcì›d»¼#TsÓ\x03›U\\¤\x1cþ’e\x1c¤<ëœ\\…컼ë•“’\x02Ö½³»[\v\"mC‚ÚV\x03«¥:ƒ¶\x04ƒS„„´»ý»Ô½Ü«üó\võtóæ\x16\x1dÅ\x02s½ü*ëTå\x14Œ\rDìÌê4T*úÒBƒ+v£¬+ƒ4üÔª‹£+ƒ£;¼»ÝDkÓ+³þ‹\x13D\\¾4Û\x1bcó\x05++Cö[ÓžÚ;S³îk®†Ì5û…\x13«“¼kB^T\x1bD£ÓudKÓEäSlk,›\x13ÔÃ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2988 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2988 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2988 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe
"C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.36:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | 26f63c425865a1a29127b930e8f72e1d |
| SHA1 | 8faad8deff25c0e4f5b954532f85087ba009de6a |
| SHA256 | 39dbed484154be1128a7c3edb118844c71af80fcdfa85f8ddba73e98e0113c4e |
| SHA512 | ad94ac8fe4f5a4992e42ebe70460c503f32b12b33575123335dc848ae06de3f475d03e26bcf1c9d005a1e6deb554ffb962372753f1096ae5aa2b5c19e6ed2719 |
memory/2988-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2324-14-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2324-18-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2324-24-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2324-20-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2324-16-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2324-22-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2324-27-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-29-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-25-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-35-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-45-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-77-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-76-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-75-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-74-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-73-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-72-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-71-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-70-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-68-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-67-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-66-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-65-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-64-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-63-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-62-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-61-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-60-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-59-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-58-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-57-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-55-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-54-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-53-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-52-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-51-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-50-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-49-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-48-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-47-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-44-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-43-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-42-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-69-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-41-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-40-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-39-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-56-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-38-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-37-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-36-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-46-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-34-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-33-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-32-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-31-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2324-189-0x00000000023A0000-0x0000000002456000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 07:26
Reported
2024-10-31 07:28
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7634a54a = "û\u009d\\®Ù‹C%ø´[îz—Í~š<¾ölHUØHŽñ«s\u008fÅ\x127Ö/má±U\u008f—Ùz\x11?ç\x12¢-ßw" | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7634a54a = "û\u009d\\®Ù‹C%ø´[îz—Í~š<¾ölHUØHŽñ«s\u008fÅ\x127Ö/má±U\u008f—Ùz\x11?ç\x12¢-ßw" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4844 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
| PID 4844 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
| PID 4844 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe
"C:\Users\Admin\AppData\Local\Temp\01cd98f7e75dab215a938ab41e5b2d0bfc4f0653e066e528d00fc379debacaa6N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 95.100.195.34:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | 34.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 69.162.80.61:80 | lysyfyj.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 75.2.71.199:443 | puzylyp.com | tcp |
| US | 69.162.80.61:80 | lysyfyj.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.71.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 103.224.212.210:80 | tcp | |
| N/A | 15.197.240.20:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 64.225.91.73:80 | tcp | |
| US | 44.221.84.105:80 | tcp | |
| N/A | 154.85.183.50:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 64.190.63.136:80 | tcp | |
| N/A | 199.59.243.227:80 | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 8918795e5477955e9bbe9e6eecb3aeb9 |
| SHA1 | 6951590b1a78d0e6ec05070dc012f8f331105383 |
| SHA256 | a2cac5c94b0aa1e3a84cdd0b725efd651e56d8b52e2e2e11c563251beef8422f |
| SHA512 | 1845377634431833dac536f7b549344d6d4eb62843a2f52e7775dd91c1036d408d8283b2a7589eabeff7305c3eb6e4e1f249321045b177d000dc7e324ca035b7 |
memory/4844-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3460-10-0x0000000002720000-0x00000000027C8000-memory.dmp
memory/3460-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3460-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB46.tmp
| MD5 | 64d3fe10bdbf8611c948d6bf3f8c8895 |
| SHA1 | e1158d2c50c79368c7b77b39657c0c7cabeb9cb4 |
| SHA256 | c6b310eb64e4ee99d40444f487bae62e63a4717a0ecc83929084b01919b19bc7 |
| SHA512 | f3f1aab74c9af50a11922a476bbf8e9a11628c6c8aaaa5ae4ca85a918486ee1e683692682fcf1538832ba17ec7091deafa1d83a99e435f43e82d9408bb073a8d |
memory/3460-177-0x0000000002B40000-0x0000000002BF6000-memory.dmp