Malware Analysis Report

2025-06-16 00:29

Sample ID 240919-pdpayaxeqf
Target 2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N
SHA256 2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4

Threat Level: Known bad

The file 2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Simda family

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 12:12

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 12:12

Reported

2024-09-19 12:15

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b6551d5 = "˜ˆX©e’…Õ…Ñx\x1däÙzeæçT0q\f©¢u¯\x10âi*ûBr´´ZŒ’2tT¬\x1a6¬Ò3d1:ò´´Éôœ4KJ\fú\x04ŒœÚªrÒ\x04¹2V„$\x14\x11ÊÜz\x02\f²\x19\tòž\x1aäd4IC\\ìÊ‘\x1aÌ6\x1c\x12C¼Ò¦<Ži\x06²$\x12\"Rô\x01tt‰\f\\‚ÌA#â¬ëú™yÑv6Ù”Rv\f4d\\VÄ4Œ”3C‘TtÒë‰T$„z\x14\f$CÂ̺ª[ÂläZÔ\x02¼ŒŒº¬ªò‚NÊò´Rœ¶l\x01.ôÖ¼ž\x12ŠÓ”ÌšÜTËc¡Úd\x04Â22\\Œ»ÊÞÊz„<»$¬¢n,ÜÄ1Š\x14túKK\nÚ\x04kêÖ´Z„²Òª¡¾ÄCdëy\u0081ÄÎ\\" C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b6551d5 = "˜ˆX©e’…Õ…Ñx\x1däÙzeæçT0q\f©¢u¯\x10âi*ûBr´´ZŒ’2tT¬\x1a6¬Ò3d1:ò´´Éôœ4KJ\fú\x04ŒœÚªrÒ\x04¹2V„$\x14\x11ÊÜz\x02\f²\x19\tòž\x1aäd4IC\\ìÊ‘\x1aÌ6\x1c\x12C¼Ò¦<Ži\x06²$\x12\"Rô\x01tt‰\f\\‚ÌA#â¬ëú™yÑv6Ù”Rv\f4d\\VÄ4Œ”3C‘TtÒë‰T$„z\x14\f$CÂ̺ª[ÂläZÔ\x02¼ŒŒº¬ªò‚NÊò´Rœ¶l\x01.ôÖ¼ž\x12ŠÓ”ÌšÜTËc¡Úd\x04Â22\\Œ»ÊÞÊz„<»$¬¢n,ÜÄ1Š\x14túKK\nÚ\x04kêÖ´Z„²Òª¡¾ÄCdëy\u0081ÄÎ\\" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe

"C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 88.221.135.17:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 galyqaz.com udp
US 69.162.80.57:80 lysyfyj.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 69.162.80.57:80 lysyfyj.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 172.67.173.131:443 qegyhig.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 gadyniw.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 13.248.252.114:80 puzylyp.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 44.221.84.105:80 vocyzit.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 104.21.26.151:80 lysyvan.com tcp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 13.248.169.48:80 pupydeq.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 85625f30f2d4d78e32945ab6cfe11bb7
SHA1 ac86e850b98f8a2966b5e6c84f7ef4f4dd486c00
SHA256 d57a7cc28bb5417631685279b84e269a788c09990a68c6b6aff3b5aa1516fded
SHA512 0f4d2e9ae6560ba26f7bd2e0922c42f3a5adf65be849591790c642f3d72a54e9a5786f9f259bcb870a6e96ce9bc40314571292e7626ba04b0e90036c79a9701d

memory/2792-13-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3004-14-0x0000000001FD0000-0x0000000002078000-memory.dmp

memory/3004-20-0x0000000001FD0000-0x0000000002078000-memory.dmp

memory/3004-24-0x0000000001FD0000-0x0000000002078000-memory.dmp

memory/3004-22-0x0000000001FD0000-0x0000000002078000-memory.dmp

memory/3004-18-0x0000000001FD0000-0x0000000002078000-memory.dmp

memory/3004-16-0x0000000001FD0000-0x0000000002078000-memory.dmp

memory/3004-25-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-29-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-27-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-38-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-61-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-77-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-76-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-75-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-74-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-73-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-72-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-71-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-70-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-69-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-68-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-67-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-66-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-65-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-64-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-63-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-60-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-59-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-58-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-57-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-56-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-55-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-54-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-53-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-52-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-50-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-49-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-48-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-47-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-46-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-45-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-44-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-43-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-42-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-41-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-40-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-39-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-62-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-37-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-36-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-35-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-51-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-34-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-33-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-32-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-31-0x0000000002460000-0x0000000002516000-memory.dmp

memory/3004-190-0x0000000002460000-0x0000000002516000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 12:12

Reported

2024-09-19 12:15

Platform

win10v2004-20240802-en

Max time kernel

107s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b6919f15 = "L\u008d¦zëÙÿÚà¸I›«“Z¦wè\x13—Œ\x15v‹‚A\x13ŒZ\x1f\x18j\nc›³ÿß#u_\u008fššƒ\u008d[͇B/\x05\x1aÿ‡Õ£çKÕk\x17“MWÓU5/\x13E2ËJ}?rrECÅ*'…ƒŸ£\u00ad#›ç¢Ç£\u008dµ“Sòã‹—ïý*«\u00ad’2+£\x1a³õÚÃÇWË[Có\x0f\neâ¥e\x17Ç\x7fêõ\x0f‡‡×ƒKKzû3r÷¿C/sÏÚå§š[\x17«×oOr’Ç/ß«òÂs\x13g›\x05º“\"’KK\n]\x03B\x17Bº£Ÿ»K»#›³“ź*/Ý*b[s‹§šŠ{jõ\x1d‹§ò³_Û}Ý\x12rrgóB«Róª’•[\aUuo›Òe\"\x1a\u008fWOo\r¢\x17êâj[§[:«ó\a\a" C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b6919f15 = "L\u008d¦zëÙÿÚà¸I›«“Z¦wè\x13—Œ\x15v‹‚A\x13ŒZ\x1f\x18j\nc›³ÿß#u_\u008fššƒ\u008d[͇B/\x05\x1aÿ‡Õ£çKÕk\x17“MWÓU5/\x13E2ËJ}?rrECÅ*'…ƒŸ£\u00ad#›ç¢Ç£\u008dµ“Sòã‹—ïý*«\u00ad’2+£\x1a³õÚÃÇWË[Có\x0f\neâ¥e\x17Ç\x7fêõ\x0f‡‡×ƒKKzû3r÷¿C/sÏÚå§š[\x17«×oOr’Ç/ß«òÂs\x13g›\x05º“\"’KK\n]\x03B\x17Bº£Ÿ»K»#›³“ź*/Ý*b[s‹§šŠ{jõ\x1d‹§ò³_Û}Ý\x12rrgóB«Róª’•[\aUuo›Òe\"\x1a\u008fWOo\r¢\x17êâj[§[:«ó\a\a" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe

"C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 95.101.143.193:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 galyqaz.com udp
US 162.255.119.102:80 gahyqah.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 172.234.222.143:80 vojyqem.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 69.162.80.51:80 lysyfyj.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 172.234.222.143:80 vojyqem.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 69.162.80.51:80 lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
NL 85.17.31.82:80 gatyfus.com tcp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 51.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 44.221.84.105:80 qetyfuv.com tcp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 lysyvan.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 pupycag.com udp
CN 103.150.10.58:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp

Files

C:\Windows\apppatch\svchost.exe

MD5 782641bb9012e009ca84f09dffeeeb70
SHA1 784680a9b2ceaeeab4d59dd92dc845b21b38cd3a
SHA256 d43f518c88f34c4f69dfc0bb7d64bf3df827ec60ac23008cc8528ddf56101e5f
SHA512 a0f0a28aa8fe597ada0b770f9fd8f4ff3187f12c6537c977fe661c2ef513a622056ee73fc69d9eb95a6979b973837df5adf1aab5fe21791f1466d4d69e11b316

memory/4952-10-0x0000000002A00000-0x0000000002AA8000-memory.dmp

memory/4952-13-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-16-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-14-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-17-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF0E.tmp

MD5 6770a0860603241a726573e950cc143a
SHA1 e99890e532f670b2eff524529077870f1353b182
SHA256 ee462dabc2e61ef7d5eb38fac5806a434f32f3557fa0210dbb9b76f4dd335ef3
SHA512 b5a74bf414295183316558051970a83c0c099a5c5cd3229b6615eef9d51d08fbd377903f2e16f2a82837651aa1b09da61bd2a96e8e8ea8dbcf99c8cc2099c897

memory/4952-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-21-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-19-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp

memory/4952-164-0x0000000002BB0000-0x0000000002C66000-memory.dmp