Malware Analysis Report

2025-06-16 00:29

Sample ID 240919-xf2m2svamb
Target 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN
SHA256 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706f
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706f

Threat Level: Known bad

The file 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Simda family

Modifies WinLogon for persistence

simda

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 18:48

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 18:48

Reported

2024-09-19 18:51

Platform

win7-20240903-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\27e5fb66 = "uj&Ù?цa@µ»S/x\x06Þ¾”\x02\x06“\x1f:®mó¦\x18Êð\u008f0Ïr°šrÎ.g’¢y22ö–È’ß>Ò^\x12.ÇωJA°™g\x17Nb\tç>ö¡z’ç2FX‚â×~žhºf†®¶8–2†\x11išÇZBŸž¸ê؇\x11F/éùÂæ§ˆ¡º’’–>~Á:\x19(ª˜F`R^ïÂ\"áX®¾—>a¦nðŽâ\x16¢Â\u0081\x02î†Â'ê\x1eg" C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\27e5fb66 = "uj&Ù?цa@µ»S/x\x06Þ¾”\x02\x06“\x1f:®mó¦\x18Êð\u008f0Ïr°šrÎ.g’¢y22ö–È’ß>Ò^\x12.ÇωJA°™g\x17Nb\tç>ö¡z’ç2FX‚â×~žhºf†®¶8–2†\x11išÇZBŸž¸ê؇\x11F/éùÂæ§ˆ¡º’’–>~Á:\x19(ª˜F`R^ïÂ\"áX®¾—>a¦nðŽâ\x16¢Â\u0081\x02î†Â'ê\x1eg" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 95.101.143.193:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 13.248.252.114:80 puzylyp.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
NL 5.79.71.205:80 gatyfus.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupycag.com udp
US 172.67.136.136:80 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 gadyciz.com udp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 vofycot.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 8.8.8.8:53 qegyval.com udp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 8.8.8.8:53 ww16.vofycot.com udp
US 199.59.243.226:80 ww25.lyxynyx.com tcp
DE 64.190.63.136:80 ww16.vofycot.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 855a93b789e28535e2b0c49d41cb90a5
SHA1 06850df00386cf4ca1fd1aa19fa8976295c0481c
SHA256 e9377fdbe023a6f9e5509ff46a3737f53fc97c88418e0d240efc077322568738
SHA512 86d179c299b244b77bff3776d22fb2d7a5375e504b61bf32e1c7d6cb3963a7cf3efb0747920d127f6feb993e145536a935c35aa7b29dfbe5b9d7fa48772292de

memory/2380-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1696-14-0x0000000002260000-0x0000000002308000-memory.dmp

memory/1696-16-0x0000000002260000-0x0000000002308000-memory.dmp

memory/1696-18-0x0000000002260000-0x0000000002308000-memory.dmp

memory/1696-24-0x0000000002260000-0x0000000002308000-memory.dmp

memory/1696-22-0x0000000002260000-0x0000000002308000-memory.dmp

memory/1696-20-0x0000000002260000-0x0000000002308000-memory.dmp

memory/1696-25-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-27-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-29-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-35-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-34-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-33-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-32-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-31-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-77-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-76-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-75-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-74-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-73-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-72-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-71-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-70-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-69-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-68-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-67-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-66-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-64-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-63-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-62-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-61-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-60-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-59-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-58-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-57-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-56-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-55-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-54-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-53-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-52-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-51-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-50-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-48-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-47-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-46-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-45-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-44-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-43-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-42-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-41-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-39-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-38-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-37-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-36-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-65-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-49-0x0000000002410000-0x00000000024C6000-memory.dmp

memory/1696-40-0x0000000002410000-0x00000000024C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A05A.tmp

MD5 12659815200bfa44ffbb2d67a3a4c53e
SHA1 03c5eadb31b51c9c6b2ecd230dd2fa1dcf053216
SHA256 2584e0e361c7a1342b82bb435e9c77bdde5d76c5093758d88cbae799a37ca10a
SHA512 2792025cd23ab6c15a20d3e8d80c4b9aa73fd8ff09321fd3f8c9801676c9ed3d54c1a1cf4e99cc084dc5267d0459e9f3a66399c76084bd007ee4414b4f61b59a

memory/1696-194-0x0000000002410000-0x00000000024C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CA17.tmp

MD5 926512864979bc27cf187f1de3f57aff
SHA1 acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256 b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512 f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 18:48

Reported

2024-09-19 18:51

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c88ace92 = "A\x15v¨\x04¯¯\u008f\x14R¬ö€ïm⾤\n³Æ_\x01\u0090$ªìNH\u008f ç¢*\a¥3Ÿګu/C‚Ïh*?0é}'¥W@\u0081å²KÚB\x0fï°ÀWÝ%JuÒ'\u00a0Çš1)Õ›ÂËøá1\x1a§·hârŽ{s\x19Cú" C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c88ace92 = "A\x15v¨\x04¯¯\u008f\x14R¬ö€ïm⾤\n³Æ_\x01\u0090$ªìNH\u008f ç¢*\a¥3Ÿګu/C‚Ïh*?0é}'¥W@\u0081å²KÚB\x0fï°ÀWÝ%JuÒ'\u00a0Çš1)Õ›ÂËøá1\x1a§·hârŽ{s\x19Cú" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 95.101.143.184:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 184.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 172.234.222.138:80 vojyqem.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 208.100.26.245:80 lyvyxor.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 69.162.80.60:80 lysyfyj.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 60.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 172.67.173.131:443 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.56.20.217.in-addr.arpa udp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 lysyvan.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 pupycag.com udp
CN 103.150.10.58:80 lyrysor.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 151.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 104.21.26.151:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qegyval.com udp
US 64.225.91.73:80 galynuh.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 199.59.243.226:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 50.183.85.154.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 vofypuk.com udp
US 8.8.8.8:53 qeqykog.com udp
US 8.8.8.8:53 puzybep.com udp
US 8.8.8.8:53 gadypuw.com udp
US 8.8.8.8:53 lymyjon.com udp
US 8.8.8.8:53 volybec.com udp
US 8.8.8.8:53 qedytul.com udp
US 8.8.8.8:53 pumyjig.com udp
US 8.8.8.8:53 galyvas.com udp
US 8.8.8.8:53 lysytyr.com udp
US 8.8.8.8:53 vonyjim.com udp
US 8.8.8.8:53 qekyvav.com udp
US 8.8.8.8:53 pupytyl.com udp
US 8.8.8.8:53 ganyhuh.com udp
US 8.8.8.8:53 lykyvod.com udp
US 8.8.8.8:53 vopyret.com udp
US 8.8.8.8:53 qebyhuq.com udp
US 8.8.8.8:53 pujycov.com udp
US 8.8.8.8:53 gatyrez.com udp
US 8.8.8.8:53 lyvyguj.com udp
US 8.8.8.8:53 vojycif.com udp
US 8.8.8.8:53 qetyrap.com udp
US 8.8.8.8:53 puvygyq.com udp
US 8.8.8.8:53 gahycib.com udp
US 8.8.8.8:53 lyrywax.com udp
US 8.8.8.8:53 vocygyk.com udp
US 8.8.8.8:53 qegyxug.com udp
US 8.8.8.8:53 purywop.com udp
US 8.8.8.8:53 gacyfew.com udp
US 8.8.8.8:53 lygyxun.com udp
US 8.8.8.8:53 vowyqoc.com udp
US 8.8.8.8:53 qexyfel.com udp
US 8.8.8.8:53 pufyxug.com udp
US 8.8.8.8:53 gaqyqis.com udp
US 8.8.8.8:53 lyxyfar.com udp
US 8.8.8.8:53 vofyzym.com udp
US 8.8.8.8:53 qeqyqiv.com udp
US 8.8.8.8:53 puzydal.com udp
US 8.8.8.8:53 gadyzyh.com udp
US 8.8.8.8:53 lymymud.com udp
US 8.8.8.8:53 volydot.com udp
US 8.8.8.8:53 qedyleq.com udp
US 8.8.8.8:53 pumymuv.com udp
US 8.8.8.8:53 galydoz.com udp
US 8.8.8.8:53 lysylej.com udp
US 8.8.8.8:53 vonymuf.com udp
US 8.8.8.8:53 qekysip.com udp
US 8.8.8.8:53 pupylaq.com udp
US 8.8.8.8:53 ganynyb.com udp
US 8.8.8.8:53 lykysix.com udp
US 8.8.8.8:53 vopykak.com udp
US 8.8.8.8:53 qebynyg.com udp
US 8.8.8.8:53 pujypup.com udp
US 8.8.8.8:53 gatykow.com udp
US 8.8.8.8:53 vojypuc.com udp
US 8.8.8.8:53 lyvynen.com udp
US 8.8.8.8:53 qetykol.com udp
US 8.8.8.8:53 puvybeg.com udp
US 8.8.8.8:53 gahypus.com udp
US 8.8.8.8:53 lyryjir.com udp
US 8.8.8.8:53 vocybam.com udp
US 8.8.8.8:53 puryjil.com udp
US 8.8.8.8:53 qegytyv.com udp
US 8.8.8.8:53 gacyvah.com udp
US 8.8.8.8:53 lygytyd.com udp
US 8.8.8.8:53 vowyjut.com udp
US 8.8.8.8:53 qexyvoq.com udp
US 8.8.8.8:53 pufytev.com udp
US 8.8.8.8:53 gaqyhuz.com udp
US 8.8.8.8:53 lyxyvoj.com udp
US 8.8.8.8:53 vofyref.com udp
US 8.8.8.8:53 qeqyhup.com udp
US 8.8.8.8:53 puzyciq.com udp
US 8.8.8.8:53 gadyrab.com udp
US 8.8.8.8:53 lymygyx.com udp
US 8.8.8.8:53 volycik.com udp
US 8.8.8.8:53 pumygyp.com udp
US 8.8.8.8:53 galycuw.com udp
US 8.8.8.8:53 lysywon.com udp
US 8.8.8.8:53 vonygec.com udp
US 8.8.8.8:53 qekyxul.com udp
US 8.8.8.8:53 pupywog.com udp
US 8.8.8.8:53 ganyfes.com udp
US 8.8.8.8:53 lykyxur.com udp
US 8.8.8.8:53 vopyqim.com udp
US 8.8.8.8:53 qebyfav.com udp
US 8.8.8.8:53 pujyxyl.com udp
US 8.8.8.8:53 gatyqih.com udp
US 8.8.8.8:53 lyvyfad.com udp
US 8.8.8.8:53 vojyzyt.com udp
US 8.8.8.8:53 qetyquq.com udp
US 8.8.8.8:53 puvydov.com udp
US 8.8.8.8:53 gahyzez.com udp
US 8.8.8.8:53 lyrymuj.com udp
US 8.8.8.8:53 vocydof.com udp
US 8.8.8.8:53 qegylep.com udp
US 8.8.8.8:53 purymuq.com udp
US 8.8.8.8:53 gacydib.com udp
US 8.8.8.8:53 lygylax.com udp
US 8.8.8.8:53 vowymyk.com udp
US 8.8.8.8:53 qexysig.com udp
US 8.8.8.8:53 pufylap.com udp
US 8.8.8.8:53 gaqynyw.com udp
US 8.8.8.8:53 lyxysun.com udp
US 8.8.8.8:53 vofykoc.com udp
US 8.8.8.8:53 qeqynel.com udp
US 8.8.8.8:53 puzypug.com udp
US 8.8.8.8:53 gadykos.com udp
US 8.8.8.8:53 lymyner.com udp
US 8.8.8.8:53 volypum.com udp
US 8.8.8.8:53 qedykiv.com udp
US 8.8.8.8:53 pumybal.com udp
US 8.8.8.8:53 galypyh.com udp
US 8.8.8.8:53 lysyjid.com udp
US 8.8.8.8:53 vonybat.com udp
US 8.8.8.8:53 qekytyq.com udp
US 8.8.8.8:53 pupyjuv.com udp
US 8.8.8.8:53 ganyvoz.com udp
US 8.8.8.8:53 lykytej.com udp
US 8.8.8.8:53 vopyjuf.com udp
US 8.8.8.8:53 qebyvop.com udp
US 8.8.8.8:53 pujyteq.com udp
US 8.8.8.8:53 gatyhub.com udp
US 8.8.8.8:53 lyvyvix.com udp
US 8.8.8.8:53 vojyrak.com udp
US 8.8.8.8:53 qetyhyg.com udp
US 8.8.8.8:53 puvycip.com udp
US 8.8.8.8:53 qetyhyg.com udp
US 8.8.8.8:53 gatyhub.com udp
US 64.225.91.73:80 qetyhyg.com tcp
US 72.52.179.174:80 gatyhub.com tcp
US 72.52.179.174:80 gatyhub.com tcp
US 8.8.8.8:53 gahyraw.com udp
US 8.8.8.8:53 lyrygyn.com udp
US 8.8.8.8:53 vocycuc.com udp
US 8.8.8.8:53 qegyrol.com udp
US 8.8.8.8:53 purygeg.com udp
US 8.8.8.8:53 gacycus.com udp
US 8.8.8.8:53 lygywor.com udp
US 8.8.8.8:53 vowygem.com udp
US 8.8.8.8:53 qexyxuv.com udp
US 8.8.8.8:53 pufywil.com udp
US 8.8.8.8:53 gaqyfah.com udp
US 8.8.8.8:53 lyxyxyd.com udp
US 8.8.8.8:53 vofyqit.com udp
US 8.8.8.8:53 qeqyfaq.com udp
US 8.8.8.8:53 puzyxyv.com udp
US 8.8.8.8:53 gadyquz.com udp
US 8.8.8.8:53 lymyfoj.com udp
US 8.8.8.8:53 volyzef.com udp
US 8.8.8.8:53 qedyqup.com udp
US 8.8.8.8:53 pumydoq.com udp
US 8.8.8.8:53 galyzeb.com udp
US 8.8.8.8:53 lysymux.com udp
US 8.8.8.8:53 vonydik.com udp
US 8.8.8.8:53 qekylag.com udp
US 8.8.8.8:53 pupymyp.com udp
US 8.8.8.8:53 ganydiw.com udp
US 8.8.8.8:53 lykylan.com udp
US 8.8.8.8:53 vopymyc.com udp
US 8.8.8.8:53 qebysul.com udp
US 8.8.8.8:53 pujylog.com udp
US 8.8.8.8:53 gatynes.com udp
US 8.8.8.8:53 lyvysur.com udp
US 8.8.8.8:53 vojykom.com udp
US 8.8.8.8:53 qetynev.com udp
US 8.8.8.8:53 puvypul.com udp
US 8.8.8.8:53 gahykih.com udp
US 8.8.8.8:53 lyrynad.com udp
US 8.8.8.8:53 vocypyt.com udp
US 8.8.8.8:53 qegykiq.com udp
US 8.8.8.8:53 purybav.com udp
US 8.8.8.8:53 gacypyz.com udp
US 8.8.8.8:53 lygyjuj.com udp
US 8.8.8.8:53 vowybof.com udp
US 8.8.8.8:53 qexytep.com udp
US 8.8.8.8:53 pufyjuq.com udp
US 8.8.8.8:53 gaqyvob.com udp
US 8.8.8.8:53 lyxytex.com udp
US 8.8.8.8:53 vofyjuk.com udp
US 8.8.8.8:53 qeqyvig.com udp
US 8.8.8.8:53 puzytap.com udp
US 8.8.8.8:53 gadyhyw.com udp
US 8.8.8.8:53 lymyvin.com udp
US 8.8.8.8:53 volyrac.com udp
US 8.8.8.8:53 pumycug.com udp
US 8.8.8.8:53 galyros.com udp
US 8.8.8.8:53 lysyger.com udp
US 8.8.8.8:53 vonycum.com udp
US 8.8.8.8:53 qekyrov.com udp
US 8.8.8.8:53 pupygel.com udp
US 8.8.8.8:53 ganycuh.com udp
US 8.8.8.8:53 lykywid.com udp
US 8.8.8.8:53 vopygat.com udp
US 8.8.8.8:53 qebyxyq.com udp
US 8.8.8.8:53 174.179.52.72.in-addr.arpa udp
US 8.8.8.8:53 pujywiv.com udp
US 8.8.8.8:53 gatyfaz.com udp
US 8.8.8.8:53 lyvyxyj.com udp
US 8.8.8.8:53 vojyquf.com udp
US 8.8.8.8:53 qetyfop.com udp
US 8.8.8.8:53 puvyxeq.com udp
US 8.8.8.8:53 gahyqub.com udp
US 8.8.8.8:53 lyryfox.com udp
US 8.8.8.8:53 vocyzek.com udp
US 8.8.8.8:53 qegyqug.com udp
US 8.8.8.8:53 purydip.com udp
US 8.8.8.8:53 gacyzaw.com udp
US 8.8.8.8:53 lygymyn.com udp
US 8.8.8.8:53 vowydic.com udp
US 8.8.8.8:53 qexylal.com udp
US 8.8.8.8:53 pufymyg.com udp
US 8.8.8.8:53 gaqydus.com udp
US 8.8.8.8:53 lyxylor.com udp
US 8.8.8.8:53 vofymem.com udp
US 8.8.8.8:53 qeqysuv.com udp
US 8.8.8.8:53 puzylol.com udp
US 8.8.8.8:53 gadyneh.com udp
US 8.8.8.8:53 lymysud.com udp
US 8.8.8.8:53 volykit.com udp
US 8.8.8.8:53 qedynaq.com udp
US 8.8.8.8:53 pumypyv.com udp
US 8.8.8.8:53 galykiz.com udp
US 8.8.8.8:53 lysynaj.com udp
US 8.8.8.8:53 vonypyf.com udp
US 8.8.8.8:53 qekykup.com udp
US 8.8.8.8:53 pupyboq.com udp
US 8.8.8.8:53 ganypeb.com udp
US 8.8.8.8:53 lykyjux.com udp
US 8.8.8.8:53 vopybok.com udp
US 8.8.8.8:53 qebyteg.com udp
US 8.8.8.8:53 pujyjup.com udp
US 8.8.8.8:53 gatyviw.com udp
US 8.8.8.8:53 lyvytan.com udp
US 8.8.8.8:53 vojyjyc.com udp
US 8.8.8.8:53 qetyvil.com udp
US 8.8.8.8:53 puvytag.com udp
US 8.8.8.8:53 gahyhys.com udp
US 8.8.8.8:53 lyryvur.com udp
US 8.8.8.8:53 vocyrom.com udp
US 8.8.8.8:53 qegyhev.com udp
US 8.8.8.8:53 purycul.com udp
US 8.8.8.8:53 gacyroh.com udp
US 8.8.8.8:53 lygyged.com udp
US 8.8.8.8:53 vowycut.com udp
US 8.8.8.8:53 qexyriq.com udp
US 8.8.8.8:53 pufygav.com udp
US 8.8.8.8:53 gaqycyz.com udp
US 8.8.8.8:53 lyxywij.com udp
US 8.8.8.8:53 vofygaf.com udp
US 8.8.8.8:53 qeqyxyp.com udp
US 8.8.8.8:53 puzywuq.com udp
US 8.8.8.8:53 gadyfob.com udp
US 8.8.8.8:53 lymyxex.com udp
US 8.8.8.8:53 volyquk.com udp
US 8.8.8.8:53 qedyfog.com udp
US 8.8.8.8:53 pumyxep.com udp
US 8.8.8.8:53 galyquw.com udp
US 8.8.8.8:53 lysyfin.com udp
US 8.8.8.8:53 vonyzac.com udp

Files

C:\Windows\apppatch\svchost.exe

MD5 dcb6238a3dce022abf10cba8604a205a
SHA1 ac036856fa84382e2d7a3929954fda0618109429
SHA256 cd0f72214bb89a6f3a20d08160774bdeeb6ec2cff806db63b301b9c140f6df99
SHA512 2526b8b3deb29e0c5c76f8514bd784e8776aba018c53d31b993d13a760103626359c2e5d430926b9e9e50ec3c82675656aefcdcd966d1c65bde0f11941b2f53e

memory/4272-8-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4332-10-0x0000000002720000-0x00000000027C8000-memory.dmp

memory/4332-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7D4.tmp

MD5 b984dcf6f0067b333d183d4cfba1e564
SHA1 6177f2ea009b6845e6fc90e9a840a0a0e0bdf2d3
SHA256 63c3b1164414355ae7a464cdf611f23de6c21c5ab92acff5cbe360460cf5cf5f
SHA512 4edb8c06cdc61a3b61aca74a76f74c897460da4ec80b95fb6c46222b2636eec34ed84e7ff534fb6fd85014cf6e6a23506de76e15cf71e68abef2cd1f0af3c377

memory/4332-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4332-164-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B45.tmp

MD5 926512864979bc27cf187f1de3f57aff
SHA1 acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256 b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512 f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b