Analysis Overview
SHA256
fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf
Threat Level: Known bad
The file fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 00:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 00:05
Reported
2024-11-19 00:08
Platform
win7-20241010-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\39aa7d54 = "a\x03ÆTY}§Ô%PU\x1a2\x1b²2Æ\n#ßðÝ2‹¥i\x0fMŽ[¦ó™q\x1acðsÛ©#‰Û‚K9³S\x1b\x01C#¨±Óc\x13+KÀc“s2c\x01ËC Sã:Û\x11\x1bsƒ\x03û#ãšók\vÃks»\x03ë£3Ó#ê9K“\v#›\x12™3ÑsÓŠ+;¢[á\x1bS[\x1b9c»\v‚CºócbË*ˆË!Q\x1acá\x12[£\tpQs™Ñks\u0081ã\u0090‹»Ã9cÙ\u00a0\u0090Ûq\x13\t°#Ë\u00a0ó[\u0081Ãã0 šcC\x13Ã;#+\"»\x01rk\x13ûP#S»ÃƒËû\x1bK¹#[áSQs:\x01+\u00a0cøC\t£9û£+\"\x13\nÓÓbº\ts[û˜#3º\tsËk\x18Ë*#K\v#[+²3\x18p“\vÁ#šÓ‘s" | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\39aa7d54 = "a\x03ÆTY}§Ô%PU\x1a2\x1b²2Æ\n#ßðÝ2‹¥i\x0fMŽ[¦ó™q\x1acðsÛ©#‰Û‚K9³S\x1b\x01C#¨±Óc\x13+KÀc“s2c\x01ËC Sã:Û\x11\x1bsƒ\x03û#ãšók\vÃks»\x03ë£3Ó#ê9K“\v#›\x12™3ÑsÓŠ+;¢[á\x1bS[\x1b9c»\v‚CºócbË*ˆË!Q\x1acá\x12[£\tpQs™Ñks\u0081ã\u0090‹»Ã9cÙ\u00a0\u0090Ûq\x13\t°#Ë\u00a0ó[\u0081Ãã0 šcC\x13Ã;#+\"»\x01rk\x13ûP#S»ÃƒËû\x1bK¹#[áSQs:\x01+\u00a0cøC\t£9û£+\"\x13\nÓÓbº\ts[û˜#3º\tsËk\x18Ë*#K\v#[+²3\x18p“\vÁ#šÓ‘s" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe
"C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.219:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 199.59.243.227:80 | vojyqem.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| DE | 64.190.63.136:80 | ww3.galyqaz.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 3.94.10.34:80 | lygynud.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
Files
memory/2128-0-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2128-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\AppPatch\svchost.exe
| MD5 | 5d09694e4b1b7dad31936baaeb3340c7 |
| SHA1 | f641d2dfe49015c903b5dd4bcebe0b46e14997fc |
| SHA256 | 61887235616827572db0822acaebe61ca30278e22164e4f843449d711b179533 |
| SHA512 | 871e43746a4431493f2b104ab037b40375c778a117b83d801f96c5a26add16135885feba861df0dcc88fa0f850c5c42f80e326b2790f2885ef3c97ee63f23ec9 |
memory/2128-14-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2128-13-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2152-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2152-16-0x0000000002370000-0x0000000002418000-memory.dmp
memory/2152-24-0x0000000002370000-0x0000000002418000-memory.dmp
memory/2152-22-0x0000000002370000-0x0000000002418000-memory.dmp
memory/2152-20-0x0000000002370000-0x0000000002418000-memory.dmp
memory/2152-18-0x0000000002370000-0x0000000002418000-memory.dmp
memory/2152-26-0x0000000002370000-0x0000000002418000-memory.dmp
memory/2152-27-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2152-28-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-32-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-30-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-44-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-54-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-80-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-79-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-78-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-77-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-76-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-75-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-74-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-73-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-71-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-70-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-69-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-68-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-67-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-66-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-65-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-64-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-63-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-62-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-61-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-60-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-59-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-58-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-56-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-55-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-53-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-52-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-51-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-50-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-49-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-48-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-47-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-46-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-45-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-43-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-42-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-41-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-40-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-39-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-38-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-72-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-37-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-36-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-35-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-57-0x0000000002520000-0x00000000025D6000-memory.dmp
memory/2152-34-0x0000000002520000-0x00000000025D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8139.tmp
| MD5 | e66abbc54fa84298b5ad45f737a4bcd0 |
| SHA1 | ff909e93bb7f1cef4c6fc99352d713db5e2665ed |
| SHA256 | d0b5419fde08dcb2049f86f88df1f74017ae77809ca11c17e2d7cacf13b341d0 |
| SHA512 | cb3e8bc6c6ea3426c1bacb52ebf4caf724a7da7da19887793e30ba4f3968638a667af24a77ded319b223e7d2142168477e5188f6ded70606c3033eeb14d1fbad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 00:05
Reported
2024-11-19 00:08
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\eddaf2cb = "™O¹zÓ£Z5m\x1693ݾrÓ\x1eÜm¹i¼ñå…u‰ƒ˜Ö\x0fâ\n:Å…êªå\x16Åe\x1e\u008d]¢º\u008dîÇ\u008då\x12ÊþþEÎ\"uÅu\x17µ¦Míý…\x15uîÞ/¥5Š:Î6Ne\"\x1dO*>}Ö¥ÕÍ\"ÕjÎÂ\"Å…Ý\"öú~ý%ªÂþbwUwÕ\u00adåmeÎ%Ï\u00adbMG\x17\"Öšg}×ÊÒ2åê\rbú\x17\x15¢U²-•Ò\x1aJE½\u00adÅÅ‚%ÅJ\x15E×\nê5\x15%MåÕO\x15&\r¯\nêíÒý_RMõ>=²:•}%u\u00ad]ê5í\x05\x15ÕÏÊu\x0f:ÆR-bÞžµåžš‚¥U-B\x15º’U/â>µÎõÒUB\x05}åÆ%m•×\u008feb\x0e-ïªÖ\x05ý/¯:J—*u5" | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\eddaf2cb = "™O¹zÓ£Z5m\x1693ݾrÓ\x1eÜm¹i¼ñå…u‰ƒ˜Ö\x0fâ\n:Å…êªå\x16Åe\x1e\u008d]¢º\u008dîÇ\u008då\x12ÊþþEÎ\"uÅu\x17µ¦Míý…\x15uîÞ/¥5Š:Î6Ne\"\x1dO*>}Ö¥ÕÍ\"ÕjÎÂ\"Å…Ý\"öú~ý%ªÂþbwUwÕ\u00adåmeÎ%Ï\u00adbMG\x17\"Öšg}×ÊÒ2åê\rbú\x17\x15¢U²-•Ò\x1aJE½\u00adÅÅ‚%ÅJ\x15E×\nê5\x15%MåÕO\x15&\r¯\nêíÒý_RMõ>=²:•}%u\u00ad]ê5í\x05\x15ÕÏÊu\x0f:ÆR-bÞžµåžš‚¥U-B\x15º’U/â>µÎõÒUB\x05}åÆ%m•×\u008feb\x0e-ïªÖ\x05ý/¯:J—*u5" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 456 wrote to memory of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | C:\Windows\apppatch\svchost.exe |
| PID 456 wrote to memory of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | C:\Windows\apppatch\svchost.exe |
| PID 456 wrote to memory of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe
"C:\Users\Admin\AppData\Local\Temp\fc0e9801f3aa423a0b304e37cd10a556ee36aea69b57a077b1f7a7932f5805bf.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| GB | 95.101.143.202:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 199.59.243.227:80 | vojyqem.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 202.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 211.203.162.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 3.94.10.34:80 | lygynud.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | 189.67.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.183.85.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 76.223.67.189:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/456-0-0x0000000000600000-0x0000000000603000-memory.dmp
memory/456-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 65f662dce8aaa68ba398170e9aa1cfe1 |
| SHA1 | 667dc8c53cc69c69bc9763c33bf0aaa91c94d135 |
| SHA256 | ae7dc948441484b20c1ce641dc81b3efb5b8e18067b77e1d39380bd1910edd38 |
| SHA512 | cdf1ba7ee5aee3b8e47e5c7cfd7fdad2c18257ded3c61cbc7fbafab3e1af37fee559a87a1fc7fe8fdaacc7adf2bee3b87136c4aad2bb23708026ef2a365a665c |
memory/456-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/456-12-0x0000000000600000-0x0000000000603000-memory.dmp
memory/3748-14-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3748-15-0x0000000002740000-0x00000000027E8000-memory.dmp
memory/3748-16-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3748-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-78-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-76-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-75-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-74-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA0D.tmp
| MD5 | 8859cd0ef5375d103f238e599ae8485c |
| SHA1 | 2a397ebf9e766f905e2394a599b3a9d99f0857fe |
| SHA256 | 34aa0a4e290baf50519a8448178601f0963acafeaa68e1b0933b2375702ff047 |
| SHA512 | 759a001cb5770720afa81b928ea64f1791ccde601a493840992415af0eb32c9da164e8a94c51fbc9e3721d66af29bcf980d3e50198d23b1928b045a3b0287b0f |
memory/3748-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-77-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3748-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B9FA.tmp
| MD5 | b34308ba54b6efd24874cb1718afd8e5 |
| SHA1 | cd5afb540a30003157b61dc5cfea0151c3d328ed |
| SHA256 | 7c64f1167887ad1ef6cc3434206de9af8f70ccd73177b9aecb065f63d67f310d |
| SHA512 | b6e0ea339a963b30bcb075329ddb8d3b194cd47f683a3415793d408764c1a0269b50aa00ddd0b1a434304df72532133b45451e1d2209c25dfd898d5e197a6690 |
C:\Users\Admin\AppData\Local\Temp\BB1C.tmp
| MD5 | ed360cc1540e48d726e07b5a0f7e2d22 |
| SHA1 | 9f12e1669b5a4923f1ae1bf99ec088c63f88a364 |
| SHA256 | 546bf3a5d88a6c33a77d96ebc4a257dfe4f5fc0bd428ae8433e3ca682481b6b6 |
| SHA512 | 60d1dd9daabc63f1a1c7d614099851788c0e5ef27d446353dcf141fa234166f2a8f48930510653ef106a9aab402f4c4d4fd75075b1ddf6429c30d51e3a1fac18 |