Malware Analysis Report

2024-12-07 15:06

Sample ID 241106-lx3qwszqgq
Target 92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN
SHA256 92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45c
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45c

Threat Level: Known bad

The file 92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

Simda family

simda

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 09:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 09:55

Reported

2024-11-06 09:57

Platform

win7-20241010-en

Max time kernel

116s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7de0f378 = "ÈOÃ\b¿i-è°ò‘l®W>$ûbáËŽeÔ‰\u008d\x02ûÐ\nïk\x15O\x01¿\u008fUg?Ï\x7f\x7fWvîºi\x1a‘ÖŸ\ažMÿÿwO¿ïrC\x19é9?f§ÂÅ\u009d²\u0081]\x19>\x7fÃÉ5W\rÝÞ_‘Us÷\u008d?ñÃÒ‘½\x17s\x0f鹿57iR\x1fúcò\x1fŠÑ\x11b2ko¯Aeo>«‰9þ†B\x7fév\x1bE\t^ßÇvFzZSßá\x19&\u008fw\x17'í\x7fÊ\u008f¥õ¹ƒ•þEVÇ7õ\x0fÇ\aŸÚ_gs‚\x1bÊAKŠû]³N\x0f·ç;Wï®\x06b-ßg\x0f\x7fOG¹ÏO\u008f»\x05Æ—[×íWŸk·u‚\x1a\x1aÿÛ\u0081‘¦\x17ãÂGÅýËÙ\x02Bf\x0e×9zï\u009dÂ!^ÿ\abwOŽåÿ¿/\u008fO¶Ëâ" C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7de0f378 = "ÈOÃ\b¿i-è°ò‘l®W>$ûbáËŽeÔ‰\u008d\x02ûÐ\nïk\x15O\x01¿\u008fUg?Ï\x7f\x7fWvîºi\x1a‘ÖŸ\ažMÿÿwO¿ïrC\x19é9?f§ÂÅ\u009d²\u0081]\x19>\x7fÃÉ5W\rÝÞ_‘Us÷\u008d?ñÃÒ‘½\x17s\x0f鹿57iR\x1fúcò\x1fŠÑ\x11b2ko¯Aeo>«‰9þ†B\x7fév\x1bE\t^ßÇvFzZSßá\x19&\u008fw\x17'í\x7fÊ\u008f¥õ¹ƒ•þEVÇ7õ\x0fÇ\aŸÚ_gs‚\x1bÊAKŠû]³N\x0f·ç;Wï®\x06b-ßg\x0f\x7fOG¹ÏO\u008f»\x05Æ—[×íWŸk·u‚\x1a\x1aÿÛ\u0081‘¦\x17ãÂGÅýËÙ\x02Bf\x0e×9zï\u009dÂ!^ÿ\abwOŽåÿ¿/\u008fO¶Ëâ" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe

"C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 92.123.128.172:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vojyqem.com udp
US 69.162.80.58:80 lysyfyj.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 172.67.173.131:80 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 199.191.50.83:80 galyqaz.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 172.67.173.131:443 qegyhig.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupycag.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 104.155.138.21:80 lygynud.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 qegyval.com udp
US 64.225.91.73:80 galynuh.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 76.223.67.189:80 qexyhuv.com tcp
US 8.8.8.8:53 lyxynyx.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp

Files

memory/1736-0-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/1736-1-0x0000000000230000-0x0000000000281000-memory.dmp

memory/1736-2-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 8ed61cfb773b0dfbdd68d530d7d1e0a8
SHA1 5249d3a09ddc21b0b6ac5d82eccd5c75a4bf19b1
SHA256 5ab895f069bf6d8f507e3dd7b7ab38a0697bdc4f17b734065d1a71553c3e9859
SHA512 a8d1b9942c724f7c1a383dd2058bf52c29095ac7eb042ef52225bd5b88cf66c8608b580f4dd9675878e40307f885b2ff6a8fd9eb0f26eb983e19aed2b0e84d3a

memory/3000-19-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/3000-20-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/1736-17-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1736-16-0x0000000000230000-0x0000000000281000-memory.dmp

memory/1736-15-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/3000-21-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/3000-22-0x0000000001E70000-0x0000000001F18000-memory.dmp

memory/3000-32-0x0000000001E70000-0x0000000001F18000-memory.dmp

memory/3000-30-0x0000000001E70000-0x0000000001F18000-memory.dmp

memory/3000-33-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/3000-28-0x0000000001E70000-0x0000000001F18000-memory.dmp

memory/3000-26-0x0000000001E70000-0x0000000001F18000-memory.dmp

memory/3000-24-0x0000000001E70000-0x0000000001F18000-memory.dmp

memory/3000-34-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-38-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-36-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-50-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-84-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-83-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-82-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-81-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-80-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-79-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-78-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-77-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-76-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-75-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-74-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-73-0x0000000002620000-0x00000000026D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A827.tmp

MD5 4dfaa448c261988564ab3c7bc931b193
SHA1 b64b00a9bc2ba7e22b313319386f4dd2500257e5
SHA256 ed67af752a693cfaed5f33d8c07c462b969c2ecb131e9c77087e8265f83f16ff
SHA512 366e0188eae0ebca60d50c2e166f3af0858d09d1504885631f7c1749ad31f24572bfc8a0464b810bee31f9684c35ecd098a7d45c774813ac577100569dd01431

memory/3000-72-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-71-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-70-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-69-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-67-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-66-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-65-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-64-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-63-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-62-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-61-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-60-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-59-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-58-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-57-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-56-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-55-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-54-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-53-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-51-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-49-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-48-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-47-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-46-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-45-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-44-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-68-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-43-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-42-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-41-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-52-0x0000000002620000-0x00000000026D6000-memory.dmp

memory/3000-40-0x0000000002620000-0x00000000026D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8B8.tmp

MD5 534fc303a1c32efd00b6b7802a8b7a7c
SHA1 182a6a6e9563acb0d34991a10ebe2b1abf88d6c1
SHA256 861f4912f44fbeac24e62283a9ce5bdc87e68f8ad26f32ab5b7892d873b9f5cc
SHA512 4c9d2d87e2b5b70a0606ea9b03209077cce9bf9a1ad47d96df7e754516132a73c1d25349c31c19de32a38e0c3d8b7ba24172eeb4126ee7b139957627e7319113

C:\Users\Admin\AppData\Local\Temp\53CF.tmp

MD5 926512864979bc27cf187f1de3f57aff
SHA1 acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256 b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512 f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

C:\Users\Admin\AppData\Local\Temp\53F4.tmp

MD5 0d2130aff660cefce564ed955fdbbbf9
SHA1 a4ad3bf203b224a321f8af56dcf411751bb0889d
SHA256 c9f28982a0a49ce74ec8b185cf80a5955de2dcccdb034591b2516a53390d89e3
SHA512 982b6eaf205ebf558c8ec66b7db03dc86b9788f263b13c508d2fbaeb39865fea5ebcac9bef1bfd33a5684acf2efa36d0bed8d51c1240d6079ec8a3178a5112fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 09:55

Reported

2024-11-06 09:57

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d2d608f2 = "\x1f\x19¹ºG[O››\b\x19GÎ}\vMP\u00a0}\"\u00adÃØ<󈡨땎¬¼c\x054\x0eûœåEHÖv.˜-ü¼-½´6}Õ”ýÃíKf´ž¼õöÎf$pMD&î\x0en –\u009d<¶–MüÞPÃ̈ÀëËîLÃÍÅeÞäÀ\x1dnä\u00adí\\}^\b\u009dåØ\x1eà¥\f͆äµ=u3Õ-k›3D¥ì¼]KÕÔͼ|&\r%£ÅÃ\u008d<cÕV=ì[lµUý…Ýà¬\rý¶»ä\u008d\x1d•-ëÝÞ\x14Må$c „åƒó\f\u008dÌØø«Õݽ\x04\x1bë•\u008d8sÃ@mvÄKäU\\Å3ƒÔ†Ø4Ã\x04Õs[•U\x1b5¦\x05S•ÈUøD\x14;t}Öå\x1d`„F\x15\u009d½\x05d”\v´0Í\x05|d£ÕÔí" C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d2d608f2 = "\x1f\x19¹ºG[O››\b\x19GÎ}\vMP\u00a0}\"\u00adÃØ<󈡨땎¬¼c\x054\x0eûœåEHÖv.˜-ü¼-½´6}Õ”ýÃíKf´ž¼õöÎf$pMD&î\x0en –\u009d<¶–MüÞPÃ̈ÀëËîLÃÍÅeÞäÀ\x1dnä\u00adí\\}^\b\u009dåØ\x1eà¥\f͆äµ=u3Õ-k›3D¥ì¼]KÕÔͼ|&\r%£ÅÃ\u008d<cÕV=ì[lµUý…Ýà¬\rý¶»ä\u008d\x1d•-ëÝÞ\x14Må$c „åƒó\f\u008dÌØø«Õݽ\x04\x1bë•\u008d8sÃ@mvÄKäU\\Å3ƒÔ†Ø4Ã\x04Õs[•U\x1b5¦\x05S•ÈUøD\x14;t}Öå\x1d`„F\x15\u009d½\x05d”\v´0Í\x05|d£ÕÔí" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe

"C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 92.123.128.146:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gadyniw.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 69.162.80.58:80 lysyfyj.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 104.21.30.183:80 qegyhig.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ww3.galyqaz.com udp
HK 154.212.231.82:80 gadyniw.com tcp
DE 64.190.63.136:80 ww3.galyqaz.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 58.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 qetyfuv.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lygynud.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 pupycag.com udp
US 107.178.223.183:80 lygynud.com tcp
US 172.67.136.136:80 lysyvan.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 gadyciz.com udp
US 64.225.91.73:80 galynuh.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 76.223.67.189:80 qexyhuv.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
HK 154.85.183.50:80 qegyval.com tcp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 189.67.223.76.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp

Files

memory/1364-0-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/1364-1-0x00000000021D0000-0x0000000002221000-memory.dmp

memory/1364-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 cbf0c5131f6a8d5d8266dffac4bbec5d
SHA1 88a1956f54ee01fed60e4c6ba5e976712b0a6a52
SHA256 8fa0ae519188276ab82e68c4f6a697cfb26cce6537ca73bfae93a3ed05889800
SHA512 fc1a8c99252d3cc7470f282a41f00cfb2cc583fb1385000fe89308738aedc748772420d2334b0ff084d8b227893aaf25d02bfd19a560373d28621c1b0bda465b

memory/924-12-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/1364-15-0x0000000000400000-0x000000000045F000-memory.dmp

memory/924-16-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/1364-14-0x00000000021D0000-0x0000000002221000-memory.dmp

memory/1364-13-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/924-17-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/924-18-0x0000000002B10000-0x0000000002BB8000-memory.dmp

memory/924-19-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/924-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A54F.tmp

MD5 dc0928d5ef6ffc56b12638a5aaaf0008
SHA1 7ea2156eba8eed2599798708ca550404e453e1cc
SHA256 668c38aa98404893d6eaeb77f002fc66b16763c7b81fdeecd28cb6f6a8359dd9
SHA512 03d71aeea6895ed937fa4ae30dbeca95f4991db0ae22929195403b8dc89d9877deeb70431ee900e792098669df9f70d29483f5cbc02bedd3f75dedbf05915f82

memory/924-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/924-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A47E.tmp

MD5 48a9cb813c1432610db316174a3f3fca
SHA1 81679ea5721877122fde738d2037a46138321e0e
SHA256 46f473a966a2012552f7a1f2d38f8e296d31191fdf2e66550f04367f21ea56c7
SHA512 cf0c9020745138e1cbc118344732eef1006951ab58897381ee88dea3a742585bcfbec87cdda9de6fffa8fe0ddd938921d89316bf7973fbf2a6592e3964b55272

C:\Users\Admin\AppData\Local\Temp\A5F0.tmp

MD5 1c993e9c3ebaae8196be16d8d4ea26a0
SHA1 3debef69d987615d6a933d28edde2e8899876166
SHA256 c2d3cde8ec0c4dae8c9073a03d1b2eccbb16504c9c3a1e55f219d6253b164ddb
SHA512 58aaf182047f361c702e3b67e0db17f384d04689b98fcda79517b84b8cebf175825572ea7f76e7b86865bffc950f3757d66753c700c54494d38a1a27adffa45d