Malware Analysis Report

2024-12-07 15:07

Sample ID 241105-3pkzjssamn
Target fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N
SHA256 fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29

Threat Level: Known bad

The file fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Modifies WinLogon for persistence

Simda family

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 23:41

Reported

2024-11-05 23:43

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ef9f12a6 = "ž\u008d«,\x14\x1dk\\ª(/\x06U'k\x06a˜Ó\x7f¾ÑÀ+\x02xKCŠ\x15°½o\u009du•ו\vÃí‹}Ÿµ³«‹Íƒu‹åEçs\a\x1d\u00ad\u008d·ƒÇ\x0f\x17»—g\x7f_c…•¯}¿Å÷õÃ\x05Õïc_M\x1d\u009dÝCm\x05ÿu›³E“ÅS‡»ç%+χee…575í÷¥=\u008d=§\x1f\x0fëåuOŸ5mK\x1d…\r½}#'\x03Ýå+Í\u00ad\u00ad•ëÍŸÕ=ã¿Íýµ§£½÷ÅG\x15[\x05Í{Së•UŸ-ÍmE\u00ad}µ\x1d—ã=\x03o»×3§½Ý'mÍå?%Ó\x15U%\aGu‹Åµ·%-•\x15³U¿\x0f›MË\u00ad{ó\x1d\x0f‡Ï#½ÿƒk;Å\x15•}\x1d\x1f\x7f'Í--g]—÷MÏ…õ7}Kg•\x1bÝ\x05÷\x1d" C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ef9f12a6 = "ž\u008d«,\x14\x1dk\\ª(/\x06U'k\x06a˜Ó\x7f¾ÑÀ+\x02xKCŠ\x15°½o\u009du•ו\vÃí‹}Ÿµ³«‹Íƒu‹åEçs\a\x1d\u00ad\u008d·ƒÇ\x0f\x17»—g\x7f_c…•¯}¿Å÷õÃ\x05Õïc_M\x1d\u009dÝCm\x05ÿu›³E“ÅS‡»ç%+χee…575í÷¥=\u008d=§\x1f\x0fëåuOŸ5mK\x1d…\r½}#'\x03Ýå+Í\u00ad\u00ad•ëÍŸÕ=ã¿Íýµ§£½÷ÅG\x15[\x05Í{Së•UŸ-ÍmE\u00ad}µ\x1d—ã=\x03o»×3§½Ý'mÍå?%Ó\x15U%\aGu‹Åµ·%-•\x15³U¿\x0f›MË\u00ad{ó\x1d\x0f‡Ï#½ÿƒk;Å\x15•}\x1d\x1f\x7f'Í--g]—÷MÏ…õ7}Kg•\x1bÝ\x05÷\x1d" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe

"C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 92.123.128.149:80 www.bing.com tcp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lymyxid.com udp
DE 178.162.217.107:80 gatyfus.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lyrysor.com udp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 107.178.223.183:80 lygynud.com tcp
US 172.67.136.136:80 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 107.178.223.183:80 lygynud.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 13.248.213.45:80 qexyhuv.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 13.248.213.45:80 qexyhuv.com tcp

Files

memory/1620-0-0x0000000000240000-0x0000000000243000-memory.dmp

memory/1620-1-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\AppPatch\svchost.exe

MD5 b39c6ee2cf4ef3ee34c507e6e0fbb482
SHA1 462443abbc3f1b1311b871a94c86ff8db42188b9
SHA256 b689b08320a8047b548eec76d4d834d3303f28029c2e79571ae60de320e1921f
SHA512 8ad7f067f4d83cb0b22249a8d46005efe8ffc179a7fb5ec54df11c24615c809964713f0be595b3da21ae378584e90cb1770258b7a2e09cb96d868adc21f5facf

memory/1620-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1620-11-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1620-12-0x0000000000240000-0x0000000000243000-memory.dmp

memory/2340-15-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2340-16-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2340-19-0x00000000020E0000-0x0000000002188000-memory.dmp

memory/2340-23-0x00000000020E0000-0x0000000002188000-memory.dmp

memory/2340-27-0x00000000020E0000-0x0000000002188000-memory.dmp

memory/2340-25-0x00000000020E0000-0x0000000002188000-memory.dmp

memory/2340-28-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2340-21-0x00000000020E0000-0x0000000002188000-memory.dmp

memory/2340-17-0x00000000020E0000-0x0000000002188000-memory.dmp

memory/2340-29-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-33-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-31-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-35-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-53-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-81-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-80-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-79-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-77-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-76-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-75-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-74-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-73-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-72-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-71-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-70-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-69-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-68-0x0000000002190000-0x0000000002246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBD8.tmp

MD5 18b6da937416a7b71185740376bc074b
SHA1 b6a6c3eb68c0b42c20d2f775aac79ef122ca63c8
SHA256 b788071ca2e511a66af0fbec5887a96d662185c0cc52264054a3e0905a866a01
SHA512 ad56fc2068fc1ea1643c2b9c3c13b188a3e7dda35cdd52be0a6175a45c2cfcd2c12bbf58e502e0520067be1c5c82c278d5a2cb12f1331a00600eba047b582f77

memory/2340-67-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-66-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-65-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-64-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-63-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-62-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-61-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-60-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-59-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-58-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-57-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-56-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-55-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-54-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-52-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-51-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-50-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-49-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-48-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-78-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-47-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-46-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-45-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-44-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-43-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-42-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-41-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-40-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-39-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-38-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-37-0x0000000002190000-0x0000000002246000-memory.dmp

memory/2340-36-0x0000000002190000-0x0000000002246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBC3.tmp

MD5 ad4827e54897fb3a3234e894ddd4f778
SHA1 30645401313a6731b513042d6f6c1b15c3d4028b
SHA256 35d97648c441bead6fb6a8027b442997006b8be52566e9a2f17af1154eea78e1
SHA512 5854990018c549edaf8631109d885ecca63a33b6bc7b25099f9b93c2f79a4788f926297269621c84c273bf96f4b5808b328d5da44dcd7e1e27505690896a29ca

C:\Users\Admin\AppData\Local\Temp\5FF3.tmp

MD5 8e863937a023f36958a40c6372fa050e
SHA1 129ca78e0bd5435285005279e08dede96950e538
SHA256 635a8502f4a9209150dc570fa97bf30020e03212910befdf97d2578f1c05e65e
SHA512 1787969df5b65f456db9b1661114f40f9de873514b20a59372c5a31d3fc7d3418ca399382c0087a39547a1f06a2a96d2b5b953d5c779653098599e0da491c598

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 23:41

Reported

2024-11-05 23:43

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1d3f0723 = "ÇØø6mŠá…C’àtdqÍc5ú¥a\x1f¿š$óžñÄÀl" C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1d3f0723 = "ÇØø6mŠá…C’àtdqÍc5ú¥a\x1f¿š$óžñÄÀl" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe

"C:\Users\Admin\AppData\Local\Temp\fe5cc9b55388c8cac1fb12f7e6c403404fec0766e8a6e457a8c7a9388ee96d29N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 92.123.128.164:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 lymyxid.com udp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 qegyhig.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 18.208.156.248:80 vonypom.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 23.253.46.64:80 gahyqah.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 60.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 225.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lysyvan.com udp
US 107.178.223.183:80 lygynud.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:80 lysyvan.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 151.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 104.21.26.151:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
CN 103.150.10.48:80 lyrysor.com tcp

Files

memory/3432-0-0x0000000000510000-0x0000000000513000-memory.dmp

memory/3432-1-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 98854663577a669eba86ef413975fbed
SHA1 6246ef2e0b2fc2e72f1df502ffc3b7c6067bc4f5
SHA256 ff40a2b61c07d6d494217d1015743a4455e22d4119d684660523995a883ceed9
SHA512 ef8e33a17901a6d04a025c9c5d284265e2498c8a81b6af9f91f81b577c124e9638f98556bc697f5c7ea4389b8160392f69f2e79a44958e09e043a1d7ce71852d

memory/3432-14-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3432-13-0x0000000000510000-0x0000000000513000-memory.dmp

memory/2720-12-0x0000000000400000-0x0000000000467000-memory.dmp

memory/3432-11-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2720-15-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2720-16-0x0000000002A00000-0x0000000002AA8000-memory.dmp

memory/2720-17-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2720-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-79-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-78-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-77-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-76-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-75-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/2720-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\964C.tmp

MD5 cf532c0ae162eb36729fc20354e0a281
SHA1 dbfcaaa632c3ac756041d778790df78a3f234803
SHA256 7d4bb8fe9b2dc117bc34c679d92959aa94fb146d345133bbc410ee1b72f862e9
SHA512 0b72ea92430298ecf06aae03ed7b0f15bffdd8ba1155532a9e8dcbcb31668534b723e34621a392203856329286126a636d4a65af5366a172f3365fa7c9e42e98