Analysis Overview
SHA256
eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90
Threat Level: Known bad
The file eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
simda
Simda family
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 09:12
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 09:12
Reported
2024-11-06 09:14
Platform
win7-20241010-en
Max time kernel
113s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7e918545 = "´êŽ\x1bfÚ¦MH;~¹ÏÄ«sÆ3ƒk\x18ª\x0fò-³6a\x01œž\nL\x18\x103+bô,ÿâäï¢J\x1azb;¤ºØ²´DZÂŒ\n\x14Úâ ê“\f\x02ʲ\x1aŒÚ*bâBØ\x12¢’hÚØ'\x17rêòGgJ‚’J\x03oZвôø\"Â+\x02º#ò`Ì¢b4Ê\x04rÇÒÜ?" | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7e918545 = "´êŽ\x1bfÚ¦MH;~¹ÏÄ«sÆ3ƒk\x18ª\x0fò-³6a\x01œž\nL\x18\x103+bô,ÿâäï¢J\x1azb;¤ºØ²´DZÂŒ\n\x14Úâ ê“\f\x02ʲ\x1aŒÚ*bâBØ\x12¢’hÚØ'\x17rêòGgJ‚’J\x03oZвôø\"Â+\x02º#ò`Ì¢b4Ê\x04rÇÒÜ?" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3044 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3044 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3044 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe
"C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.170:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 69.162.80.58:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 13.248.213.45:80 | qexyhuv.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 13.248.213.45:80 | qexyhuv.com | tcp |
Files
C:\Windows\AppPatch\svchost.exe
| MD5 | d9c9a67dd297cae9f82cf0357f1d35e2 |
| SHA1 | fc7f6ee1ea876ef734255df82a1d8b009938a788 |
| SHA256 | 3896f92db63e5c2bd5b8786901e76dc22d6e30b07f83f1f12d64e8265d0a39e8 |
| SHA512 | 206482a77e8989d104a6e9b3fff87ee0cc293dddb867d223c3f03aeca17285b10f74a3f4f38b8d3ab5c647a4e696c675d2dbfd728e55ea782289b7a94a921d83 |
memory/3044-12-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2804-16-0x00000000021F0000-0x0000000002298000-memory.dmp
memory/2804-24-0x00000000021F0000-0x0000000002298000-memory.dmp
memory/2804-22-0x00000000021F0000-0x0000000002298000-memory.dmp
memory/2804-20-0x00000000021F0000-0x0000000002298000-memory.dmp
memory/2804-18-0x00000000021F0000-0x0000000002298000-memory.dmp
memory/2804-14-0x00000000021F0000-0x0000000002298000-memory.dmp
memory/2804-25-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-29-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-27-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-36-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-41-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-76-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-75-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-74-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-73-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-72-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-71-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-70-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-69-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-68-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-67-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-66-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-65-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-64-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-63-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-62-0x00000000023A0000-0x0000000002456000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2E0D.tmp
| MD5 | 676131b3928e2f82ccae80af10500ff8 |
| SHA1 | 72151453461b1d4a8ce8ac43475bbfea3bb28b99 |
| SHA256 | 2f1b7c79e2a10d2be80b17dcebdc0207662aaf2c1d00a9ac9489c255f315d7be |
| SHA512 | d6ecba5e0a2f14a0fb701a75ef37c323bc317fe530f1f6d24ba13b6d32800b5a34156f03a7091526f6098d365206fb8d25b09e01f5636f5dc15ea26515ebea8c |
memory/2804-61-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-60-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-59-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-57-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-56-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-55-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-54-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-53-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-52-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-51-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-50-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-49-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-48-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-47-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-45-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-44-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-43-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-42-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-40-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-39-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-38-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-37-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-35-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-77-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-34-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-33-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-58-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-32-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-46-0x00000000023A0000-0x0000000002456000-memory.dmp
memory/2804-31-0x00000000023A0000-0x0000000002456000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2CE3.tmp
| MD5 | eb26ca9f168ced0a8347ba312e3a2c7f |
| SHA1 | 99ed56a4dfe1378d3840bbb003a81edc19350acb |
| SHA256 | 0de8a3d78baa029745b175c839d3dd696936fdf52274873deea276eacc33c471 |
| SHA512 | d5ae1f26b3858cba36e08c8abf74b156e4f985d0df3d876b98a4e4c0b8e713da4bcb2bc4b07da17933cd2569e9434d6223f764ae092eacec884f3b275b177799 |
memory/2804-174-0x00000000023A0000-0x0000000002456000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AF49.tmp
| MD5 | aa7b6e6afdd567e60b62f80fcbc44d62 |
| SHA1 | 2f18dd5803116a66946883574b0007573e911e54 |
| SHA256 | daada23b9c6b5bd4a033e767feff7e474e4e3733df3a27fe24ae933678e1de3c |
| SHA512 | 7090b1c7e5605b1f510a26b19a9939c5d367d082ee81a239d4f2cb4fca340c9c9d389e90acc29e20241d3ee54cf874942a3d13228f9192b8d132432b32af5a31 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 09:12
Reported
2024-11-06 09:14
Platform
win10v2004-20241007-en
Max time kernel
101s
Max time network
117s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b3d0ba47 = "©8F]S(ö±óY6ZÒf>o~u\u00a0\x16q\býÄ•µ8\x18ŸvŸ2\x04Ò4¤£2¾#b\x12*bzZ:‚\x1e(.\x0eXŒò´\nÒd¶B’Â’\x12j\x02ÆêÂzÒ¢£”\nþ~pž*\x02Âð¼^£F,ºjÒbêãK:(\x16šþ¢¦‚ª\x0e“Êj\nJŒ*6\n²ªJpR>\x18`†‚*¶\x16¶,\":¾`†j\x02j„\x14b\x02\x02êú–ƒ\"ÚNs* Þvz6ãª\x02ŽÌÖCã†æ2`\x12²–\x1e\x04¦¢s¶ÎTVzаäP¢\x1aâ¾Ëj\x03ÐBZä(ŠÒ\bÓ\x12¼jŒ–ÞÊÊâzR8êK\x126N>Cb¦ÊÊž\x1bª¶Ä®(#{öü\nX#\n\x12ð{ÄžJ¬pÖʳ‚\x1bt´ÛbzÚ" | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b3d0ba47 = "©8F]S(ö±óY6ZÒf>o~u\u00a0\x16q\býÄ•µ8\x18ŸvŸ2\x04Ò4¤£2¾#b\x12*bzZ:‚\x1e(.\x0eXŒò´\nÒd¶B’Â’\x12j\x02ÆêÂzÒ¢£”\nþ~pž*\x02Âð¼^£F,ºjÒbêãK:(\x16šþ¢¦‚ª\x0e“Êj\nJŒ*6\n²ªJpR>\x18`†‚*¶\x16¶,\":¾`†j\x02j„\x14b\x02\x02êú–ƒ\"ÚNs* Þvz6ãª\x02ŽÌÖCã†æ2`\x12²–\x1e\x04¦¢s¶ÎTVzаäP¢\x1aâ¾Ëj\x03ÐBZä(ŠÒ\bÓ\x12¼jŒ–ÞÊÊâzR8êK\x126N>Cb¦ÊÊž\x1bª¶Ä®(#{öü\nX#\n\x12ð{ÄžJ¬pÖʳ‚\x1bt´ÛbzÚ" | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 316 wrote to memory of 4912 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
| PID 316 wrote to memory of 4912 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
| PID 316 wrote to memory of 4912 | N/A | C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe
"C:\Users\Admin\AppData\Local\Temp\eb661452f08e01c7fffb2cad08926b6cca55be13f092ed4d5a746a88da696e90N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.177:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.128.123.92.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 69.162.80.58:80 | lysyfyj.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 58.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 225.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | d57c6ddee1d8ee7092bd9fefc961994c |
| SHA1 | 4793045d77bdf5a7fb39b61b42a37b7328f0c7a2 |
| SHA256 | 98fe8a18c571edad084dce0e35f30718136a29b53478ce154c6281d953c1f73f |
| SHA512 | e268427ba1d2b59330675a56483a9914fc451fde71bb4c7909260fbeb9d070afa8ca472aee4b943d03fc35fbdce7bc91d40f56e781f2eb03eb0617fec5167344 |
memory/316-9-0x0000000000400000-0x000000000046B000-memory.dmp
memory/4912-10-0x0000000002730000-0x00000000027D8000-memory.dmp
memory/4912-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4912-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B7CB.tmp
| MD5 | 491ce2dc98e97e4ee3f220fcb2f4a7e4 |
| SHA1 | 1c31dd780321400e578bf7ed963cc522a6233c3e |
| SHA256 | f3498bda3fc5027d2899f8e0416166b09f9beff0cddb6012c305cbc2efe4aba4 |
| SHA512 | 5039137fca0ce5d988b6850d63685868cec00942604aaa03d255f4b8fd3620c0c432c4fadb986212db430dad0bdd17332968042538e9a88d7d8e373d2116b97a |
memory/4912-163-0x0000000002B40000-0x0000000002BF6000-memory.dmp