Malware Analysis Report

2024-12-07 15:07

Sample ID 241106-e15w4atnfs
Target ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN
SHA256 ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fb
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fb

Threat Level: Known bad

The file ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Simda family

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 04:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 04:25

Reported

2024-11-06 04:27

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4c05676a = "ÁØXe\x13Â\b+\x11‰x3Ú´ämVY|ø\tjÏT½™ð@gJ\u00adzBr¼zXjøt*\n¼zF:‚ðòHHPR¢Âl:ªÔ¼ZBlÜ*\n*j\nšªJTäÂT~@\x02\x16Ê|ŒRZ^’z´„" C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4c05676a = "ÁØXe\x13Â\b+\x11‰x3Ú´ämVY|ø\tjÏT½™ð@gJ\u00adzBr¼zXjøt*\n¼zF:‚ðòHHPR¢Âl:ªÔ¼ZBlÜ*\n*j\nšªJTäÂT~@\x02\x16Ê|ŒRZ^’z´„" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe

"C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 92.123.128.161:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 172.234.222.138:80 vojyqem.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 69.162.80.58:80 lysyfyj.com tcp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 172.67.173.131:80 qegyhig.com tcp
US 8.8.8.8:53 galyqaz.com udp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 ww1.lysyfyj.com udp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 208.91.196.145:80 ww1.lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 172.67.173.131:443 qegyhig.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 lysyvan.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 104.155.138.21:80 lygynud.com tcp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp

Files

memory/3024-0-0x0000000000240000-0x0000000000243000-memory.dmp

memory/3024-1-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 f148490e99960eab2447fb6ea7def19b
SHA1 b4b503c61c3e8dd5b1a700c9da1376ee3431078e
SHA256 7691b9e71b8f3fab36a0f93b65a3725c9af191552e6c92fe44499668ad9b97ba
SHA512 782f6c1cad8a0310d1e694a275195ea5792af5173ae458ee56d8823769a6a477e60fbaa83272c88016765c78f272959a1f280725fa8c8405b4d4d0eb21d22662

memory/3024-14-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3024-13-0x0000000000240000-0x0000000000243000-memory.dmp

memory/3024-12-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2648-15-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2648-16-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2648-17-0x0000000002280000-0x0000000002328000-memory.dmp

memory/2648-21-0x0000000002280000-0x0000000002328000-memory.dmp

memory/2648-27-0x0000000002280000-0x0000000002328000-memory.dmp

memory/2648-25-0x0000000002280000-0x0000000002328000-memory.dmp

memory/2648-28-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2648-23-0x0000000002280000-0x0000000002328000-memory.dmp

memory/2648-19-0x0000000002280000-0x0000000002328000-memory.dmp

memory/2648-29-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-31-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-33-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-42-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-53-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-63-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-64-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-62-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-61-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-60-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-59-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-58-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-57-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-56-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-55-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-54-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-52-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-51-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-50-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-49-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-48-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-47-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-70-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-46-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-45-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-44-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-43-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-41-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-40-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-39-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-75-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-79-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-85-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-84-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-83-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-82-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-81-0x0000000002430000-0x00000000024E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F41F.tmp

MD5 f833851dd5570b55fe5456fe3fa7ab9d
SHA1 cc350e6c916f3c2b03799c8baae6430a85ecfd09
SHA256 762565ef966863d57d17634c987381f85125343d1d641fa8232022f5d5c867d4
SHA512 74dae407723a6861cf97ab7e1b15fe209b01048c9105a44fcaad18ce070c4c5ac7ad636237831f9662bae3fd75de81d6ed77b94d35bd0f7e107e56f1ce88d500

memory/2648-80-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-78-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-77-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-76-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-74-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-73-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-72-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-35-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-38-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-37-0x0000000002430000-0x00000000024E6000-memory.dmp

memory/2648-36-0x0000000002430000-0x00000000024E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 04:25

Reported

2024-11-06 04:27

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\56e90d2b = "ÿ\x10\x19\x12fœ¨ºcw >\x1c\nŒ¶¹ÉMaNÌ|ìSÿ›¿Œ\"*ßï\\DçuiO-ÕR}ÕlgD\aDìߥ\x11]TwZ\x1cÅÄ\x17u|ꯇ\\e\x14¥G<äI…,\aŸ\\§l-}J\u009d¿ôlüÔbç‘T¤DÄŠÄE\x121ÇUá\u008d×5Áí¯·ä_ý2¬U5=Uo-Üê\x04ywÝ\x1f\aI•ñ\n¼\x17RÜ\u009d\tu\u009de-W\a¥\a\x0f\x17´9Äÿ\x0f\aUR\u00ad¥!ä¿Dñ\x01<\x0f\x1f\\BéUÅ5|÷%ªÚì§Â$•ÝdŸ4\x19eʇü-¤qŸ·\x7fÇüdr-Ì9*¿2Rg„¯ÌB•\n\x1fMLo<ìOI©Í§\x01EÏ\x0fò\x1dõ\x02oœ—„\x04ÍÜõÿÑ„D\a¥\x7fÝÊ<\x17\x1dÌ”" C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\56e90d2b = "ÿ\x10\x19\x12fœ¨ºcw >\x1c\nŒ¶¹ÉMaNÌ|ìSÿ›¿Œ\"*ßï\\DçuiO-ÕR}ÕlgD\aDìߥ\x11]TwZ\x1cÅÄ\x17u|ꯇ\\e\x14¥G<äI…,\aŸ\\§l-}J\u009d¿ôlüÔbç‘T¤DÄŠÄE\x121ÇUá\u008d×5Áí¯·ä_ý2¬U5=Uo-Üê\x04ywÝ\x1f\aI•ñ\n¼\x17RÜ\u009d\tu\u009de-W\a¥\a\x0f\x17´9Äÿ\x0f\aUR\u00ad¥!ä¿Dñ\x01<\x0f\x1f\\BéUÅ5|÷%ªÚì§Â$•ÝdŸ4\x19eʇü-¤qŸ·\x7fÇüdr-Ì9*¿2Rg„¯ÌB•\n\x1fMLo<ìOI©Í§\x01EÏ\x0fò\x1dõ\x02oœ—„\x04ÍÜõÿÑ„D\a¥\x7fÝÊ<\x17\x1dÌ”" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe

"C:\Users\Admin\AppData\Local\Temp\ff03b0e46c9b1672bc761f8f761d0f74e678a9b60eb2bae762213a33aa1e58fbN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 92.123.128.149:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 galyqaz.com udp
US 3.94.10.34:80 lymyxid.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 69.162.80.58:80 lysyfyj.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 18.208.156.248:80 vonypom.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 75.2.71.199:443 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 gadyniw.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 149.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 199.71.2.75.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 58.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 205.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupydeq.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
CN 103.150.10.48:80 lyrysor.com tcp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 lygynud.com udp
US 107.178.223.183:80 lygynud.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp

Files

memory/2780-0-0x00007FFA06690000-0x00007FFA06885000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 6eb5f0eb14a858134593465054ef5e08
SHA1 d464afc00d6fe510076f774f1a03ec8cb0d6f9a2
SHA256 c31321aa3c93ae424493b8728a8989765c44646fd1b5724ae7b6129a509b9b7a
SHA512 4c0e14bc18d38994197ef254d1759e33403b51318d9bdce03cd0798a3cdb13e35847814a64db222dfb1f6e6e5759ff80c3dedc7141792207addbbde36f83592b

memory/2780-10-0x0000000000400000-0x0000000000467000-memory.dmp

memory/3116-11-0x00007FFA06690000-0x00007FFA06885000-memory.dmp

memory/3116-12-0x0000000002A00000-0x0000000002AA8000-memory.dmp

memory/3116-13-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-17-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-15-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5FF.tmp

MD5 599cf513c9ba00d89437139c4c2e56ed
SHA1 ecdda4694c267cf927b346c8f238a2887bc0207b
SHA256 eb31ce53a476aabc67154961558119f0d5d5fa1de0bdfb754d46cc62765a5a31
SHA512 db88610e1f86c363e011d89ade8370358d9cfaf6970ae9554fce1dae0c11b9de099b655643077c39087564777af82f913b4a1623fd2c80a78bbad645c7931d45

memory/3116-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5EF.tmp

MD5 0b3a8adfaf5cf48ae0a51ef2a84e0894
SHA1 353c52134d3e2eab7ded2cbeabee59a3b97e85aa
SHA256 26646e99f8342e37f740f546ad280d9d01cb1fb29c8cb78c3e849375b979238f
SHA512 9c3cced5ed1ba51768dfe55970efbe9e04dd16ed6d8fa268512d4f3d7480ca5328a88baeeb23297a89bfffac9920e118b18e8be9ef8a0e3b1a4db515515cecee

memory/3116-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-21-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-19-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/3116-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A50E.tmp

MD5 60349ff6f5067c10e5d11471c14863e5
SHA1 25d3829e7835d4ae3560ae8d33cbaae4e6f2fa83
SHA256 b22328de35be299bcc03958964ae23c8236c2af89cba9f4c80e695c1f02bd89a
SHA512 aa352c859ed5f3937824f218823f6a7ad0bf455221f2c341175a31753a3d0837129dbe1e87d90454f9a4e91c15cace45542225512fa80354ca98479b97341bc1