Malware Analysis Report

2024-12-07 14:28

Sample ID 241119-adlsgsxpfv
Target fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf
SHA256 fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf

Threat Level: Known bad

The file fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

Simda family

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 00:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 00:05

Reported

2024-11-19 00:08

Platform

win7-20241010-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\39aa7d54 = "a\x03ÆTY}§Ô%PU\x1a2\x1b²2Æ\n#ßðÝ2‹¥i\x0fMŽ[¦ó™q\x1acðsÛ©#‰Û‚K9³S\x1b\x01C#¨±Óc\x13+KÀc“s2c\x01ËC Sã:Û\x11\x1bsƒ\x03û#ãšók\vÃks»\x03ë£3Ó#ê9K“\v#›\x12™3ÑsÓŠ+;¢[á\x1bS[\x1b9c»\v‚CºócbË*ˆË!Q\x1acá\x12[£\tpQs™Ñks\u0081ã\u0090‹»Ã9cÙ\u00a0\u0090Ûq\x13\t°#Ë\u00a0ó[\u0081Ãã0 šcC\x13Ã;#+\"»\x01rk\x13ûP#S»ÃƒËû\x1bK¹#[áSQs:\x01+\u00a0cøC\t£9û£+\"\x13\nÓÓbº\ts[û˜#3º\tsËk\x18Ë*#K\v#[+²3\x18p“\vÁ#šÓ‘s" C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\39aa7d54 = "a\x03ÆTY}§Ô%PU\x1a2\x1b²2Æ\n#ßðÝ2‹¥i\x0fMŽ[¦ó™q\x1acðsÛ©#‰Û‚K9³S\x1b\x01C#¨±Óc\x13+KÀc“s2c\x01ËC Sã:Û\x11\x1bsƒ\x03û#ãšók\vÃks»\x03ë£3Ó#ê9K“\v#›\x12™3ÑsÓŠ+;¢[á\x1bS[\x1b9c»\v‚CºócbË*ˆË!Q\x1acá\x12[£\tpQs™Ñks\u0081ã\u0090‹»Ã9cÙ\u00a0\u0090Ûq\x13\t°#Ë\u00a0ó[\u0081Ãã0 šcC\x13Ã;#+\"»\x01rk\x13ûP#S»ÃƒËû\x1bK¹#[áSQs:\x01+\u00a0cøC\t£9û£+\"\x13\nÓÓbº\ts[û˜#3º\tsËk\x18Ë*#K\v#[+²3\x18p“\vÁ#šÓ‘s" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe

"C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 95.101.143.219:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 44.221.84.105:80 vocyzit.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 199.59.243.227:80 vojyqem.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 104.21.30.183:443 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
DE 64.190.63.136:80 ww3.galyqaz.com tcp
US 104.21.30.183:443 qegyhig.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lygynud.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 172.67.136.136:80 lysyvan.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 3.94.10.34:80 lygynud.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 galynuh.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 76.223.67.189:80 qexyhuv.com tcp
US 8.8.8.8:53 qegyval.com udp
US 103.224.182.252:80 vofycot.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 44.221.84.105:80 gadyciz.com tcp
US 76.223.67.189:80 qexyhuv.com tcp

Files

memory/2128-0-0x0000000000240000-0x0000000000243000-memory.dmp

memory/2128-1-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\AppPatch\svchost.exe

MD5 5d09694e4b1b7dad31936baaeb3340c7
SHA1 f641d2dfe49015c903b5dd4bcebe0b46e14997fc
SHA256 61887235616827572db0822acaebe61ca30278e22164e4f843449d711b179533
SHA512 871e43746a4431493f2b104ab037b40375c778a117b83d801f96c5a26add16135885feba861df0dcc88fa0f850c5c42f80e326b2790f2885ef3c97ee63f23ec9

memory/2128-14-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2128-13-0x0000000000240000-0x0000000000243000-memory.dmp

memory/2152-15-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2152-16-0x0000000002370000-0x0000000002418000-memory.dmp

memory/2152-24-0x0000000002370000-0x0000000002418000-memory.dmp

memory/2152-22-0x0000000002370000-0x0000000002418000-memory.dmp

memory/2152-20-0x0000000002370000-0x0000000002418000-memory.dmp

memory/2152-18-0x0000000002370000-0x0000000002418000-memory.dmp

memory/2152-26-0x0000000002370000-0x0000000002418000-memory.dmp

memory/2152-27-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2152-28-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-32-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-30-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-44-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-54-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-80-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-79-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-78-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-77-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-76-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-75-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-74-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-73-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-71-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-70-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-69-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-68-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-67-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-66-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-65-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-64-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-63-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-62-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-61-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-60-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-59-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-58-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-56-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-55-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-53-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-52-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-51-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-50-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-49-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-48-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-47-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-46-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-45-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-43-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-42-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-41-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-40-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-39-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-38-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-72-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-37-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-36-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-35-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-57-0x0000000002520000-0x00000000025D6000-memory.dmp

memory/2152-34-0x0000000002520000-0x00000000025D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8139.tmp

MD5 e66abbc54fa84298b5ad45f737a4bcd0
SHA1 ff909e93bb7f1cef4c6fc99352d713db5e2665ed
SHA256 d0b5419fde08dcb2049f86f88df1f74017ae77809ca11c17e2d7cacf13b341d0
SHA512 cb3e8bc6c6ea3426c1bacb52ebf4caf724a7da7da19887793e30ba4f3968638a667af24a77ded319b223e7d2142168477e5188f6ded70606c3033eeb14d1fbad

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 00:05

Reported

2024-11-19 00:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\eddaf2cb = "™O¹zÓ£Z5m\x1693ݾrÓ\x1eÜm¹i¼ñå…u‰ƒ˜Ö\x0fâ\n:Å…êªå\x16Åe\x1e\u008d]¢º\u008dîÇ\u008då\x12ÊþþEÎ\"uÅu\x17µ¦Míý…\x15uîÞ/¥5Š:Î6Ne\"\x1dO*>}Ö¥ÕÍ\"ÕjÎÂ\"Å…Ý\"öú~ý%ªÂþbwUwÕ\u00adåmeÎ%Ï\u00adbMG\x17\"Öšg}×ÊÒ2åê\rbú\x17\x15¢U²-•Ò\x1aJE½\u00adÅÅ‚%ÅJ\x15E×\nê5\x15%MåÕO\x15&\r¯\nêíÒý_RMõ>=²:•}%u\u00ad]ê5í\x05\x15ÕÏÊu\x0f:ÆR-bÞžµåžš‚¥U-B\x15º’U/â>µÎõÒUB\x05}åÆ%m•×\u008feb\x0e-ïªÖ\x05ý/¯:J—*u5" C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\eddaf2cb = "™O¹zÓ£Z5m\x1693ݾrÓ\x1eÜm¹i¼ñå…u‰ƒ˜Ö\x0fâ\n:Å…êªå\x16Åe\x1e\u008d]¢º\u008dîÇ\u008då\x12ÊþþEÎ\"uÅu\x17µ¦Míý…\x15uîÞ/¥5Š:Î6Ne\"\x1dO*>}Ö¥ÕÍ\"ÕjÎÂ\"Å…Ý\"öú~ý%ªÂþbwUwÕ\u00adåmeÎ%Ï\u00adbMG\x17\"Öšg}×ÊÒ2åê\rbú\x17\x15¢U²-•Ò\x1aJE½\u00adÅÅ‚%ÅJ\x15E×\nê5\x15%MåÕO\x15&\r¯\nêíÒý_RMõ>=²:•}%u\u00ad]ê5í\x05\x15ÕÏÊu\x0f:ÆR-bÞžµåžš‚¥U-B\x15º’U/â>µÎõÒUB\x05}åÆ%m•×\u008feb\x0e-ïªÖ\x05ý/¯:J—*u5" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe

"C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 95.101.143.202:80 www.bing.com tcp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lymyxid.com udp
US 23.253.46.64:80 gahyqah.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 104.21.30.183:80 qegyhig.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 199.59.243.227:80 vojyqem.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 gadyniw.com udp
GB 142.250.200.3:80 c.pki.goog tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 202.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
DE 178.162.217.107:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 211.203.162.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lygynud.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 lyrysor.com udp
US 3.94.10.34:80 lygynud.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 pupycag.com udp
US 172.67.136.136:443 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 103.224.182.252:80 vofycot.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 76.223.67.189:80 qexyhuv.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
US 8.8.8.8:53 ww25.lyxynyx.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 189.67.223.76.in-addr.arpa udp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 50.183.85.154.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 gadyciz.com udp
US 44.221.84.105:80 gadyciz.com tcp
US 76.223.67.189:80 qexyhuv.com tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/456-0-0x0000000000600000-0x0000000000603000-memory.dmp

memory/456-1-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 65f662dce8aaa68ba398170e9aa1cfe1
SHA1 667dc8c53cc69c69bc9763c33bf0aaa91c94d135
SHA256 ae7dc948441484b20c1ce641dc81b3efb5b8e18067b77e1d39380bd1910edd38
SHA512 cdf1ba7ee5aee3b8e47e5c7cfd7fdad2c18257ded3c61cbc7fbafab3e1af37fee559a87a1fc7fe8fdaacc7adf2bee3b87136c4aad2bb23708026ef2a365a665c

memory/456-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/456-12-0x0000000000600000-0x0000000000603000-memory.dmp

memory/3748-14-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3748-15-0x0000000002740000-0x00000000027E8000-memory.dmp

memory/3748-16-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3748-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-78-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-76-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-75-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-74-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA0D.tmp

MD5 8859cd0ef5375d103f238e599ae8485c
SHA1 2a397ebf9e766f905e2394a599b3a9d99f0857fe
SHA256 34aa0a4e290baf50519a8448178601f0963acafeaa68e1b0933b2375702ff047
SHA512 759a001cb5770720afa81b928ea64f1791ccde601a493840992415af0eb32c9da164e8a94c51fbc9e3721d66af29bcf980d3e50198d23b1928b045a3b0287b0f

memory/3748-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-77-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3748-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B9FA.tmp

MD5 b34308ba54b6efd24874cb1718afd8e5
SHA1 cd5afb540a30003157b61dc5cfea0151c3d328ed
SHA256 7c64f1167887ad1ef6cc3434206de9af8f70ccd73177b9aecb065f63d67f310d
SHA512 b6e0ea339a963b30bcb075329ddb8d3b194cd47f683a3415793d408764c1a0269b50aa00ddd0b1a434304df72532133b45451e1d2209c25dfd898d5e197a6690

C:\Users\Admin\AppData\Local\Temp\BB1C.tmp

MD5 ed360cc1540e48d726e07b5a0f7e2d22
SHA1 9f12e1669b5a4923f1ae1bf99ec088c63f88a364
SHA256 546bf3a5d88a6c33a77d96ebc4a257dfe4f5fc0bd428ae8433e3ca682481b6b6
SHA512 60d1dd9daabc63f1a1c7d614099851788c0e5ef27d446353dcf141fa234166f2a8f48930510653ef106a9aab402f4c4d4fd75075b1ddf6429c30d51e3a1fac18