Analysis Overview
SHA256
b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7
Threat Level: Known bad
The file b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-02 23:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 23:36
Reported
2024-11-02 23:38
Platform
win7-20240903-en
Max time kernel
111s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\632be428 = "qŒ\fÇɲm¡ñÇ\x05\bX\x11éÆhŠ6•b—U¤ÿ9\x18Á•\x11É_!q¶\x19x¦8äÈá°N\u0090>é\tæ¬XÚi\u0090¬ÇQßøÊPq\x04ˆ\fŸ\x18éZ¹’×™\x10\"W1éŸi‰”HùÐç×<öPv@š\x1a6®HnðºÌtÐßF" | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\632be428 = "qŒ\fÇɲm¡ñÇ\x05\bX\x11éÆhŠ6•b—U¤ÿ9\x18Á•\x11É_!q¶\x19x¦8äÈá°N\u0090>é\tæ¬XÚi\u0090¬ÇQßøÊPq\x04ˆ\fŸ\x18éZ¹’×™\x10\"W1éŸi‰”HùÐç×<öPv@š\x1a6®HnðºÌtÐßF" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 876 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 876 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 876 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 876 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe
"C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.170:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 13.248.213.45:80 | qexyhuv.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 13.248.213.45:80 | qexyhuv.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
Files
memory/876-0-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/876-1-0x00000000002F0000-0x0000000000341000-memory.dmp
memory/876-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | a5fff9e59ae16e0215430a91a56b8797 |
| SHA1 | 71dade80aa9f3422e62a4f3bdeffeda10a3eda29 |
| SHA256 | e561416eebbc761341b2dec0bdf28a6d8a23b0a521e11407312bb2dd2ce06949 |
| SHA512 | 5e4230f966db04e7dd0d51f3eae4f365d4c3c4351bed2f29980fad6e5549c8bdae5bd15ff0cbefdfe73b93f933eacaeaa60490a9a648409cc43e48804be5e971 |
memory/876-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2728-19-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/876-17-0x00000000002F0000-0x0000000000341000-memory.dmp
memory/876-16-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/2728-20-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/2728-21-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/2728-24-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/2728-32-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/2728-30-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/2728-33-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/2728-28-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/2728-26-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/2728-22-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/2728-34-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-38-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-36-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-40-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-71-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-76-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-84-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-83-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-82-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-81-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-80-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-79-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-78-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-77-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-75-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-74-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-73-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-72-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-70-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-69-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-68-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-67-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-66-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-65-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-64-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-63-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-62-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-61-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-60-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-58-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-57-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-56-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-55-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-54-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-53-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-52-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-51-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-50-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-49-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-47-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-46-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-45-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-59-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-42-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-41-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-48-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-43-0x00000000026A0000-0x0000000002756000-memory.dmp
memory/2728-44-0x00000000026A0000-0x0000000002756000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-02 23:36
Reported
2024-11-02 23:38
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\51fec057 = "F\x04«×„ ©\x1a\u0081nÒ¹ÇFÍ\x16¬Û¦D;Ë6¨Ø«a»q`ž\x17µ%\x13}%½ \x1cýô=°žóàD[å\rTlä—]+6ÖÐߎÅ\u0090\x17\vîh\x7fˆÃ¨\u009d—\x1d%µ\bÍEHˆ" | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\51fec057 = "F\x04«×„ ©\x1a\u0081nÒ¹ÇFÍ\x16¬Û¦D;Ë6¨Ø«a»q`ž\x17µ%\x13}%½ \x1cýô=°žóàD[å\rTlä—]+6ÖÐߎÅ\u0090\x17\vîh\x7fˆÃ¨\u009d—\x1d%µ\bÍEHˆ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2100 wrote to memory of 4404 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2100 wrote to memory of 4404 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2100 wrote to memory of 4404 | N/A | C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe
"C:\Users\Admin\AppData\Local\Temp\b3b0476e6ca158e805221a13fe5ab77f49bb0e57da8aa1701e971115eb99c8b7N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| GB | 92.123.128.187:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | 187.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | 189.67.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | 50.183.85.154.in-addr.arpa | udp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2100-0-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/2100-1-0x0000000002360000-0x00000000023B1000-memory.dmp
memory/2100-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | a89a8e27880f58171e7e9c2e815bb4a1 |
| SHA1 | 1b1867ba855daf77bd55dd15b08fe5b18619df9a |
| SHA256 | 3b890f164fe23506a1530a8acf1d520720c513a8daf35bd0453764d08eb694d7 |
| SHA512 | 95962f978e9645645fc0958a7c7665b2af6504dd6e0f1b59ca5d19b537a5d898fc7c4d95805c2cc7aa0a7835898c3ec178d8667c18e5823e086f6bd381b5c462 |
memory/2100-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4404-16-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/2100-14-0x0000000002360000-0x00000000023B1000-memory.dmp
memory/2100-13-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4404-12-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4404-17-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4404-18-0x0000000003140000-0x00000000031E8000-memory.dmp
memory/4404-19-0x0000000000400000-0x00000000005B8000-memory.dmp
memory/4404-20-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-24-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-22-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-29-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-34-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-79-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-78-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-77-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-76-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-75-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-74-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-73-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-72-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-70-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-69-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-68-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-67-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-66-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-65-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-64-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-63-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-62-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-60-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-59-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-58-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-57-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-56-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-54-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-52-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-53-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-51-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-50-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-49-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-48-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-47-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-46-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-45-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-44-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-43-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-41-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-40-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-39-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-38-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-37-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-35-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-33-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-32-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-31-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-30-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-28-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-26-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-27-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-71-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-61-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-55-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-42-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-36-0x00000000032F0000-0x00000000033A6000-memory.dmp
memory/4404-25-0x00000000032F0000-0x00000000033A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8A6E.tmp
| MD5 | 6697d5de59fb37da55327d180d7920ff |
| SHA1 | 162d2033b2442d4dd984aaa2fde07c9069cb49f6 |
| SHA256 | 9a5004e493950dc3e7b6ff5fca32c2c71f25682b0fe00a908b49507985f8bd93 |
| SHA512 | 16d1ee3cced8b1d16e02a931cd282a63d9b93f9dfff8ccb431f83923e6986989fef9cdd7c713cbcb405614ace08911c6a20540ca77cabc7928db577c3f222d8e |