Analysis Overview
SHA256
fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29
Threat Level: Known bad
The file fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N was found to be: Known bad.
Malicious Activity Summary
simda
Modifies WinLogon for persistence
Simda family
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 23:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 23:41
Reported
2024-11-05 23:43
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ef9f12a6 = "ž\u008d«,\x14\x1dk\\ª(/\x06U'k\x06a˜Ó\x7f¾ÑÀ+\x02xKCŠ\x15°½o\u009du•ו\vÃí‹}Ÿµ³«‹Íƒu‹åEçs\a\x1d\u00ad\u008d·ƒÇ\x0f\x17»—g\x7f_c…•¯}¿Å÷õÃ\x05Õïc_M\x1d\u009dÝCm\x05ÿu›³E“ÅS‡»ç%+χee…575í÷¥=\u008d=§\x1f\x0fëåuOŸ5mK\x1d…\r½}#'\x03Ýå+Í\u00ad\u00ad•ëÍŸÕ=ã¿Íýµ§£½÷ÅG\x15[\x05Í{Së•UŸ-ÍmE\u00ad}µ\x1d—ã=\x03o»×3§½Ý'mÍå?%Ó\x15U%\aGu‹Åµ·%-•\x15³U¿\x0f›MË\u00ad{ó\x1d\x0f‡Ï#½ÿƒk;Å\x15•}\x1d\x1f\x7f'Í--g]—÷MÏ…õ7}Kg•\x1bÝ\x05÷\x1d" | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ef9f12a6 = "ž\u008d«,\x14\x1dk\\ª(/\x06U'k\x06a˜Ó\x7f¾ÑÀ+\x02xKCŠ\x15°½o\u009du•ו\vÃí‹}Ÿµ³«‹Íƒu‹åEçs\a\x1d\u00ad\u008d·ƒÇ\x0f\x17»—g\x7f_c…•¯}¿Å÷õÃ\x05Õïc_M\x1d\u009dÝCm\x05ÿu›³E“ÅS‡»ç%+χee…575í÷¥=\u008d=§\x1f\x0fëåuOŸ5mK\x1d…\r½}#'\x03Ýå+Í\u00ad\u00ad•ëÍŸÕ=ã¿Íýµ§£½÷ÅG\x15[\x05Í{Së•UŸ-ÍmE\u00ad}µ\x1d—ã=\x03o»×3§½Ý'mÍå?%Ó\x15U%\aGu‹Åµ·%-•\x15³U¿\x0f›MË\u00ad{ó\x1d\x0f‡Ï#½ÿƒk;Å\x15•}\x1d\x1f\x7f'Í--g]—÷MÏ…õ7}Kg•\x1bÝ\x05÷\x1d" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe
"C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.149:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 13.248.213.45:80 | qexyhuv.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 13.248.213.45:80 | qexyhuv.com | tcp |
Files
memory/1620-0-0x0000000000240000-0x0000000000243000-memory.dmp
memory/1620-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\AppPatch\svchost.exe
| MD5 | b39c6ee2cf4ef3ee34c507e6e0fbb482 |
| SHA1 | 462443abbc3f1b1311b871a94c86ff8db42188b9 |
| SHA256 | b689b08320a8047b548eec76d4d834d3303f28029c2e79571ae60de320e1921f |
| SHA512 | 8ad7f067f4d83cb0b22249a8d46005efe8ffc179a7fb5ec54df11c24615c809964713f0be595b3da21ae378584e90cb1770258b7a2e09cb96d868adc21f5facf |
memory/1620-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1620-11-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1620-12-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2340-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2340-16-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2340-19-0x00000000020E0000-0x0000000002188000-memory.dmp
memory/2340-23-0x00000000020E0000-0x0000000002188000-memory.dmp
memory/2340-27-0x00000000020E0000-0x0000000002188000-memory.dmp
memory/2340-25-0x00000000020E0000-0x0000000002188000-memory.dmp
memory/2340-28-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2340-21-0x00000000020E0000-0x0000000002188000-memory.dmp
memory/2340-17-0x00000000020E0000-0x0000000002188000-memory.dmp
memory/2340-29-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-33-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-31-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-35-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-53-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-81-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-80-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-79-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-77-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-76-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-75-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-74-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-73-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-72-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-71-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-70-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-69-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-68-0x0000000002190000-0x0000000002246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBD8.tmp
| MD5 | 18b6da937416a7b71185740376bc074b |
| SHA1 | b6a6c3eb68c0b42c20d2f775aac79ef122ca63c8 |
| SHA256 | b788071ca2e511a66af0fbec5887a96d662185c0cc52264054a3e0905a866a01 |
| SHA512 | ad56fc2068fc1ea1643c2b9c3c13b188a3e7dda35cdd52be0a6175a45c2cfcd2c12bbf58e502e0520067be1c5c82c278d5a2cb12f1331a00600eba047b582f77 |
memory/2340-67-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-66-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-65-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-64-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-63-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-62-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-61-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-60-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-59-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-58-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-57-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-56-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-55-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-54-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-52-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-51-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-50-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-49-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-48-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-78-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-47-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-46-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-45-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-44-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-43-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-42-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-41-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-40-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-39-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-38-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-37-0x0000000002190000-0x0000000002246000-memory.dmp
memory/2340-36-0x0000000002190000-0x0000000002246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBC3.tmp
| MD5 | ad4827e54897fb3a3234e894ddd4f778 |
| SHA1 | 30645401313a6731b513042d6f6c1b15c3d4028b |
| SHA256 | 35d97648c441bead6fb6a8027b442997006b8be52566e9a2f17af1154eea78e1 |
| SHA512 | 5854990018c549edaf8631109d885ecca63a33b6bc7b25099f9b93c2f79a4788f926297269621c84c273bf96f4b5808b328d5da44dcd7e1e27505690896a29ca |
C:\Users\Admin\AppData\Local\Temp\5FF3.tmp
| MD5 | 8e863937a023f36958a40c6372fa050e |
| SHA1 | 129ca78e0bd5435285005279e08dede96950e538 |
| SHA256 | 635a8502f4a9209150dc570fa97bf30020e03212910befdf97d2578f1c05e65e |
| SHA512 | 1787969df5b65f456db9b1661114f40f9de873514b20a59372c5a31d3fc7d3418ca399382c0087a39547a1f06a2a96d2b5b953d5c779653098599e0da491c598 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 23:41
Reported
2024-11-05 23:43
Platform
win10v2004-20241007-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1d3f0723 = "ÇØø6mŠá…C’àtdqÍc5ú¥a\x1f¿š$óžñÄÀl" | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1d3f0723 = "ÇØø6mŠá…C’àtdqÍc5ú¥a\x1f¿š$óžñÄÀl" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3432 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3432 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3432 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe
"C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 92.123.128.164:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 225.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
memory/3432-0-0x0000000000510000-0x0000000000513000-memory.dmp
memory/3432-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 98854663577a669eba86ef413975fbed |
| SHA1 | 6246ef2e0b2fc2e72f1df502ffc3b7c6067bc4f5 |
| SHA256 | ff40a2b61c07d6d494217d1015743a4455e22d4119d684660523995a883ceed9 |
| SHA512 | ef8e33a17901a6d04a025c9c5d284265e2498c8a81b6af9f91f81b577c124e9638f98556bc697f5c7ea4389b8160392f69f2e79a44958e09e043a1d7ce71852d |
memory/3432-14-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3432-13-0x0000000000510000-0x0000000000513000-memory.dmp
memory/2720-12-0x0000000000400000-0x0000000000467000-memory.dmp
memory/3432-11-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2720-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2720-16-0x0000000002A00000-0x0000000002AA8000-memory.dmp
memory/2720-17-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2720-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-79-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-78-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-77-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-76-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-75-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/2720-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\964C.tmp
| MD5 | cf532c0ae162eb36729fc20354e0a281 |
| SHA1 | dbfcaaa632c3ac756041d778790df78a3f234803 |
| SHA256 | 7d4bb8fe9b2dc117bc34c679d92959aa94fb146d345133bbc410ee1b72f862e9 |
| SHA512 | 0b72ea92430298ecf06aae03ed7b0f15bffdd8ba1155532a9e8dcbcb31668534b723e34621a392203856329286126a636d4a65af5366a172f3365fa7c9e42e98 |