Malware Analysis Report

2024-12-07 15:02

Sample ID 241030-tetdhawhnb
Target c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N
SHA256 c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310

Threat Level: Known bad

The file c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

Simda family

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 15:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 15:58

Reported

2024-10-30 16:00

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\31b00308 = "@\tJ¤\rÖ£w\x19õªRÎÀ–šïøÓØ`¨\x1dË„" C:\Windows\apppatch\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\31b00308 = "@\tJ¤\rÖ£w\x19õªRÎÀ–šïøÓØ`¨\x1dË„" C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe

"C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 95.100.195.29:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 galyqaz.com udp
US 23.253.46.64:80 gahyqah.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 8.8.8.8:53 ww1.lysyfyj.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 208.91.196.145:80 ww1.lysyfyj.com tcp
US 172.67.173.131:443 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 ww3.galyqaz.com udp
DE 64.190.63.136:80 ww3.galyqaz.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lysyvan.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 lygynud.com udp
US 107.178.223.183:80 lygynud.com tcp
US 8.8.8.8:53 lyrysor.com udp
CN 111.6.96.18:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 gadyciz.com udp
US 103.224.182.252:80 vofycot.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
US 8.8.8.8:53 qegyval.com udp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
US 8.8.8.8:53 ww25.lyxynyx.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 199.59.243.227:80 ww25.lyxynyx.com tcp

Files

memory/1940-0-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1940-1-0x0000000000240000-0x0000000000291000-memory.dmp

memory/1940-2-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 a9d82ccfe3b8cf7cf7f6604abd3b7af1
SHA1 bcfb6336fa7adbb0e9e7dc538c8f634560c812ed
SHA256 9216c78bbfc03507925dc4412cfabc62eb31b204f1fdac1be0dc24bec23cf12c
SHA512 584741ad9a376cb11d64d10108b74b3d6bda32dffdeaed518ac41bf10228327a6e1241b6ce4f158f27d841af4b429508316270adf1684c4c71e9d715767c2043

memory/1940-19-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1940-18-0x0000000000240000-0x0000000000291000-memory.dmp

memory/3024-20-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3024-17-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/1940-16-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3024-21-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3024-26-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/3024-32-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/3024-30-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/3024-33-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3024-29-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/3024-24-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/3024-22-0x00000000022E0000-0x0000000002388000-memory.dmp

memory/3024-34-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-38-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-36-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-47-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-60-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-84-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-83-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-82-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-81-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-80-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-79-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-78-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-77-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-76-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-75-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-74-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-72-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-71-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-70-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-69-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-68-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-67-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-66-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-65-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-64-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-63-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-62-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-61-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-59-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-58-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-57-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-56-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-55-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-54-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-53-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-73-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-52-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-51-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-50-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-49-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-48-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-46-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-45-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-44-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-43-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-42-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-41-0x0000000002880000-0x0000000002936000-memory.dmp

memory/3024-40-0x0000000002880000-0x0000000002936000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\546B.tmp

MD5 bcb3472bb49eb6bfd6b407ba5c2b98d7
SHA1 3560ffd5b4bf89e7b4d799e023082500f934bed2
SHA256 b9ef35a6f037c15fa5d04438281f69c54a876f32d3f407bce4d666e4ad3ad478
SHA512 d196a07b864416fa18f6a168c0d67d35cf33c82240b0d86d40e1492b02e43ac0722a89e31fd240eaa34b86973721bd8d6e776a47541c3504e0ac6b38266a791e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 15:58

Reported

2024-10-30 16:01

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\844cf036 = "M7l\x1e\u0081‹q§1\x0eDˆà…-\x19ÍYˆ…U\x18öP\u008f>\f—•=è\x18Þ\u009d\u00a0¹@¾A%ø](àèà¥@A\x05€\be(F\x05U¸µŽ\x10˜Õ5¹`eæ¦%}\r\u0090vmé¡\bé¶\x18¹-¾n}¢Ð5Ø\u008d\bî&𱀉\x18ñq¥…" C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\844cf036 = "M7l\x1e\u0081‹q§1\x0eDˆà…-\x19ÍYˆ…U\x18öP\u008f>\f—•=è\x18Þ\u009d\u00a0¹@¾A%ø](àèà¥@A\x05€\be(F\x05U¸µŽ\x10˜Õ5¹`eæ¦%}\r\u0090vmé¡\bé¶\x18¹-¾n}¢Ð5Ø\u008d\bî&𱀉\x18ñq¥…" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe

"C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 95.100.195.29:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 29.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 g.bing.com udp
US 172.67.173.131:80 qegyhig.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 172.234.222.143:80 vojyqem.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 galyqaz.com udp
US 172.67.173.131:443 qegyhig.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 8.8.8.8:53 lymyxid.com udp
US 150.171.27.10:443 g.bing.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 62.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
HK 154.212.231.82:80 gadyniw.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
DE 178.162.203.202:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 178.162.203.226:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp

Files

memory/4180-0-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4180-1-0x0000000002230000-0x0000000002281000-memory.dmp

memory/4180-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 5e268b8371a5e9ecb8b192ea0efbce6b
SHA1 bfbff31339547b9e54c54dc14dc37a1e65674495
SHA256 0d4f2a679bf8155c5d6b147c220efdfee4f2d68d38ea51f5b7803d870f9a0423
SHA512 0f6ad10efad300dab38c5cd5d6859dc725ec7fd913affc99c0a4eade80402bdf301fa78976368341512f5c0dff9638df2db8c3ca070e53d7a3a950a431c67240

memory/3496-12-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3496-13-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/4180-16-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4180-15-0x0000000002230000-0x0000000002281000-memory.dmp

memory/4180-14-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3496-17-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3496-18-0x0000000002A00000-0x0000000002AA8000-memory.dmp

memory/3496-19-0x0000000000400000-0x00000000004C7000-memory.dmp

memory/3496-20-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-22-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-24-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-26-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-77-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-79-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-76-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-75-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-74-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-73-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-72-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-71-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-70-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-68-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-67-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-66-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-63-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-62-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-61-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-60-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-59-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-58-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-57-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-56-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-55-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-54-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-53-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-52-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-51-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-50-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-49-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-47-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-46-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-45-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-44-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-43-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-42-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-40-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-38-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-37-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-35-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-36-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-28-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-34-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-33-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-32-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-30-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-29-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-25-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-69-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-65-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-64-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-48-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-41-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-39-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-31-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

memory/3496-27-0x0000000002BF0000-0x0000000002CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC1F.tmp

MD5 4f0f732507a3ce4085f5cfe083169449
SHA1 967c23df6dd44f1f7fa89d4acc692fc7825e15ce
SHA256 8cb4b7ec22785f2645b99b81248091ec3d73dae87d95765a3f4a0b1d686bbed5
SHA512 b40a34b7d1e2d98b2c3053fc70239367687319f66a714aa231f64ddfb5e0853a1e1271a9a59cb07fbf8dcd7133e00cb8f87eacbcf23155f26c7ea4ecfceb6518