Analysis Overview
SHA256
92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45c
Threat Level: Known bad
The file 92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 09:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 09:55
Reported
2024-11-06 09:57
Platform
win7-20241010-en
Max time kernel
116s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7de0f378 = "ÈOÃ\b¿i-è°ò‘l®W>$ûbáËŽeÔ‰\u008d\x02ûÐ\nïk\x15O\x01¿\u008fUg?Ï\x7f\x7fWvîºi\x1a‘ÖŸ\ažMÿÿwO¿ïrC\x19é9?f§ÂÅ\u009d²\u0081]\x19>\x7fÃÉ5W\rÝÞ_‘Us÷\u008d?ñÃÒ‘½\x17s\x0f鹿57iR\x1fúcò\x1fŠÑ\x11b2ko¯Aeo>«‰9þ†B\x7fév\x1bE\t^ßÇvFzZSßá\x19&\u008fw\x17'í\x7fÊ\u008f¥õ¹ƒ•þEVÇ7õ\x0fÇ\aŸÚ_gs‚\x1bÊAKŠû]³N\x0f·ç;Wï®\x06b-ßg\x0f\x7fOG¹ÏO\u008f»\x05Æ—[×íWŸk·u‚\x1a\x1aÿÛ\u0081‘¦\x17ãÂGÅýËÙ\x02Bf\x0e×9zï\u009dÂ!^ÿ\abwOŽåÿ¿/\u008fO¶Ëâ" | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7de0f378 = "ÈOÃ\b¿i-è°ò‘l®W>$ûbáËŽeÔ‰\u008d\x02ûÐ\nïk\x15O\x01¿\u008fUg?Ï\x7f\x7fWvîºi\x1a‘ÖŸ\ažMÿÿwO¿ïrC\x19é9?f§ÂÅ\u009d²\u0081]\x19>\x7fÃÉ5W\rÝÞ_‘Us÷\u008d?ñÃÒ‘½\x17s\x0f鹿57iR\x1fúcò\x1fŠÑ\x11b2ko¯Aeo>«‰9þ†B\x7fév\x1bE\t^ßÇvFzZSßá\x19&\u008fw\x17'í\x7fÊ\u008f¥õ¹ƒ•þEVÇ7õ\x0fÇ\aŸÚ_gs‚\x1bÊAKŠû]³N\x0f·ç;Wï®\x06b-ßg\x0f\x7fOG¹ÏO\u008f»\x05Æ—[×íWŸk·u‚\x1a\x1aÿÛ\u0081‘¦\x17ãÂGÅýËÙ\x02Bf\x0e×9zï\u009dÂ!^ÿ\abwOŽåÿ¿/\u008fO¶Ëâ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1736 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe
"C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.172:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 69.162.80.58:80 | lysyfyj.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
Files
memory/1736-0-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/1736-1-0x0000000000230000-0x0000000000281000-memory.dmp
memory/1736-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 8ed61cfb773b0dfbdd68d530d7d1e0a8 |
| SHA1 | 5249d3a09ddc21b0b6ac5d82eccd5c75a4bf19b1 |
| SHA256 | 5ab895f069bf6d8f507e3dd7b7ab38a0697bdc4f17b734065d1a71553c3e9859 |
| SHA512 | a8d1b9942c724f7c1a383dd2058bf52c29095ac7eb042ef52225bd5b88cf66c8608b580f4dd9675878e40307f885b2ff6a8fd9eb0f26eb983e19aed2b0e84d3a |
memory/3000-19-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/3000-20-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/1736-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1736-16-0x0000000000230000-0x0000000000281000-memory.dmp
memory/1736-15-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/3000-21-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/3000-22-0x0000000001E70000-0x0000000001F18000-memory.dmp
memory/3000-32-0x0000000001E70000-0x0000000001F18000-memory.dmp
memory/3000-30-0x0000000001E70000-0x0000000001F18000-memory.dmp
memory/3000-33-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/3000-28-0x0000000001E70000-0x0000000001F18000-memory.dmp
memory/3000-26-0x0000000001E70000-0x0000000001F18000-memory.dmp
memory/3000-24-0x0000000001E70000-0x0000000001F18000-memory.dmp
memory/3000-34-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-38-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-36-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-50-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-84-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-83-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-82-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-81-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-80-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-79-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-78-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-77-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-76-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-75-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-74-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-73-0x0000000002620000-0x00000000026D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A827.tmp
| MD5 | 4dfaa448c261988564ab3c7bc931b193 |
| SHA1 | b64b00a9bc2ba7e22b313319386f4dd2500257e5 |
| SHA256 | ed67af752a693cfaed5f33d8c07c462b969c2ecb131e9c77087e8265f83f16ff |
| SHA512 | 366e0188eae0ebca60d50c2e166f3af0858d09d1504885631f7c1749ad31f24572bfc8a0464b810bee31f9684c35ecd098a7d45c774813ac577100569dd01431 |
memory/3000-72-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-71-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-70-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-69-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-67-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-66-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-65-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-64-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-63-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-62-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-61-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-60-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-59-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-58-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-57-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-56-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-55-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-54-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-53-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-51-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-49-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-48-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-47-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-46-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-45-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-44-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-68-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-43-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-42-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-41-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-52-0x0000000002620000-0x00000000026D6000-memory.dmp
memory/3000-40-0x0000000002620000-0x00000000026D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A8B8.tmp
| MD5 | 534fc303a1c32efd00b6b7802a8b7a7c |
| SHA1 | 182a6a6e9563acb0d34991a10ebe2b1abf88d6c1 |
| SHA256 | 861f4912f44fbeac24e62283a9ce5bdc87e68f8ad26f32ab5b7892d873b9f5cc |
| SHA512 | 4c9d2d87e2b5b70a0606ea9b03209077cce9bf9a1ad47d96df7e754516132a73c1d25349c31c19de32a38e0c3d8b7ba24172eeb4126ee7b139957627e7319113 |
C:\Users\Admin\AppData\Local\Temp\53CF.tmp
| MD5 | 926512864979bc27cf187f1de3f57aff |
| SHA1 | acdeb9d6187932613c7fa08eaf28f0cd8116f4b5 |
| SHA256 | b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f |
| SHA512 | f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b |
C:\Users\Admin\AppData\Local\Temp\53F4.tmp
| MD5 | 0d2130aff660cefce564ed955fdbbbf9 |
| SHA1 | a4ad3bf203b224a321f8af56dcf411751bb0889d |
| SHA256 | c9f28982a0a49ce74ec8b185cf80a5955de2dcccdb034591b2516a53390d89e3 |
| SHA512 | 982b6eaf205ebf558c8ec66b7db03dc86b9788f263b13c508d2fbaeb39865fea5ebcac9bef1bfd33a5684acf2efa36d0bed8d51c1240d6079ec8a3178a5112fc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 09:55
Reported
2024-11-06 09:57
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d2d608f2 = "\x1f\x19¹ºG[O››\b\x19GÎ}\vMP\u00a0}\"\u00adÃØ<󈡨땎¬¼c\x054\x0eûœåEHÖv.˜-ü¼-½´6}Õ”ýÃíKf´ž¼õöÎf$pMD&î\x0en –\u009d<¶–MüÞPÃ̈ÀëËîLÃÍÅeÞäÀ\x1dnä\u00adí\\}^\b\u009dåØ\x1eà¥\f͆äµ=u3Õ-k›3D¥ì¼]KÕÔͼ|&\r%£ÅÃ\u008d<cÕV=ì[lµUý…Ýà¬\rý¶»ä\u008d\x1d•-ëÝÞ\x14Må$c „åƒó\f\u008dÌØø«Õݽ\x04\x1bë•\u008d8sÃ@mvÄKäU\\Å3ƒÔ†Ø4Ã\x04Õs[•U\x1b5¦\x05S•ÈUøD\x14;t}Öå\x1d`„F\x15\u009d½\x05d”\v´0Í\x05|d£ÕÔí" | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d2d608f2 = "\x1f\x19¹ºG[O››\b\x19GÎ}\vMP\u00a0}\"\u00adÃØ<󈡨땎¬¼c\x054\x0eûœåEHÖv.˜-ü¼-½´6}Õ”ýÃíKf´ž¼õöÎf$pMD&î\x0en –\u009d<¶–MüÞPÃ̈ÀëËîLÃÍÅeÞäÀ\x1dnä\u00adí\\}^\b\u009dåØ\x1eà¥\f͆äµ=u3Õ-k›3D¥ì¼]KÕÔͼ|&\r%£ÅÃ\u008d<cÕV=ì[lµUý…Ýà¬\rý¶»ä\u008d\x1d•-ëÝÞ\x14Må$c „åƒó\f\u008dÌØø«Õݽ\x04\x1bë•\u008d8sÃ@mvÄKäU\\Å3ƒÔ†Ø4Ã\x04Õs[•U\x1b5¦\x05S•ÈUøD\x14;t}Öå\x1d`„F\x15\u009d½\x05d”\v´0Í\x05|d£ÕÔí" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1364 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1364 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1364 wrote to memory of 924 | N/A | C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe
"C:\Users\Admin\AppData\Local\Temp\92221eb9327036dfb11bfd619d89cc85d7681d142e7d424f72ef51c236c1a45cN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| GB | 92.123.128.146:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 69.162.80.58:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ww3.galyqaz.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| DE | 64.190.63.136:80 | ww3.galyqaz.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | 189.67.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
Files
memory/1364-0-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/1364-1-0x00000000021D0000-0x0000000002221000-memory.dmp
memory/1364-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | cbf0c5131f6a8d5d8266dffac4bbec5d |
| SHA1 | 88a1956f54ee01fed60e4c6ba5e976712b0a6a52 |
| SHA256 | 8fa0ae519188276ab82e68c4f6a697cfb26cce6537ca73bfae93a3ed05889800 |
| SHA512 | fc1a8c99252d3cc7470f282a41f00cfb2cc583fb1385000fe89308738aedc748772420d2334b0ff084d8b227893aaf25d02bfd19a560373d28621c1b0bda465b |
memory/924-12-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/1364-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/924-16-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/1364-14-0x00000000021D0000-0x0000000002221000-memory.dmp
memory/1364-13-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/924-17-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/924-18-0x0000000002B10000-0x0000000002BB8000-memory.dmp
memory/924-19-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/924-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A54F.tmp
| MD5 | dc0928d5ef6ffc56b12638a5aaaf0008 |
| SHA1 | 7ea2156eba8eed2599798708ca550404e453e1cc |
| SHA256 | 668c38aa98404893d6eaeb77f002fc66b16763c7b81fdeecd28cb6f6a8359dd9 |
| SHA512 | 03d71aeea6895ed937fa4ae30dbeca95f4991db0ae22929195403b8dc89d9877deeb70431ee900e792098669df9f70d29483f5cbc02bedd3f75dedbf05915f82 |
memory/924-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/924-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A47E.tmp
| MD5 | 48a9cb813c1432610db316174a3f3fca |
| SHA1 | 81679ea5721877122fde738d2037a46138321e0e |
| SHA256 | 46f473a966a2012552f7a1f2d38f8e296d31191fdf2e66550f04367f21ea56c7 |
| SHA512 | cf0c9020745138e1cbc118344732eef1006951ab58897381ee88dea3a742585bcfbec87cdda9de6fffa8fe0ddd938921d89316bf7973fbf2a6592e3964b55272 |
C:\Users\Admin\AppData\Local\Temp\A5F0.tmp
| MD5 | 1c993e9c3ebaae8196be16d8d4ea26a0 |
| SHA1 | 3debef69d987615d6a933d28edde2e8899876166 |
| SHA256 | c2d3cde8ec0c4dae8c9073a03d1b2eccbb16504c9c3a1e55f219d6253b164ddb |
| SHA512 | 58aaf182047f361c702e3b67e0db17f384d04689b98fcda79517b84b8cebf175825572ea7f76e7b86865bffc950f3757d66753c700c54494d38a1a27adffa45d |