Analysis Overview
SHA256
c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310
Threat Level: Known bad
The file c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 15:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 15:58
Reported
2024-10-30 16:00
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\31b00308 = "@\tJ¤\rÖ£w\x19õªRÎÀ–šïøÓØ`¨\x1dË„" | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\31b00308 = "@\tJ¤\rÖ£w\x19õªRÎÀ–šïøÓØ`¨\x1dË„" | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1940 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1940 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1940 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1940 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe
"C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.29:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.62:80 | lysyfyj.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | ww1.lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 208.91.196.145:80 | ww1.lysyfyj.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | ww3.galyqaz.com | udp |
| DE | 64.190.63.136:80 | ww3.galyqaz.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.73:80 | crl.microsoft.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
Files
memory/1940-0-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/1940-1-0x0000000000240000-0x0000000000291000-memory.dmp
memory/1940-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | a9d82ccfe3b8cf7cf7f6604abd3b7af1 |
| SHA1 | bcfb6336fa7adbb0e9e7dc538c8f634560c812ed |
| SHA256 | 9216c78bbfc03507925dc4412cfabc62eb31b204f1fdac1be0dc24bec23cf12c |
| SHA512 | 584741ad9a376cb11d64d10108b74b3d6bda32dffdeaed518ac41bf10228327a6e1241b6ce4f158f27d841af4b429508316270adf1684c4c71e9d715767c2043 |
memory/1940-19-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1940-18-0x0000000000240000-0x0000000000291000-memory.dmp
memory/3024-20-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3024-17-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/1940-16-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3024-21-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3024-26-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/3024-32-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/3024-30-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/3024-33-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3024-29-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/3024-24-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/3024-22-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/3024-34-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-38-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-36-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-47-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-60-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-84-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-83-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-82-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-81-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-80-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-79-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-78-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-77-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-76-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-75-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-74-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-72-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-71-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-70-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-69-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-68-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-67-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-66-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-65-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-64-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-63-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-62-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-61-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-59-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-58-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-57-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-56-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-55-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-54-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-53-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-73-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-52-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-51-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-50-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-49-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-48-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-46-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-45-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-44-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-43-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-42-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-41-0x0000000002880000-0x0000000002936000-memory.dmp
memory/3024-40-0x0000000002880000-0x0000000002936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\546B.tmp
| MD5 | bcb3472bb49eb6bfd6b407ba5c2b98d7 |
| SHA1 | 3560ffd5b4bf89e7b4d799e023082500f934bed2 |
| SHA256 | b9ef35a6f037c15fa5d04438281f69c54a876f32d3f407bce4d666e4ad3ad478 |
| SHA512 | d196a07b864416fa18f6a168c0d67d35cf33c82240b0d86d40e1492b02e43ac0722a89e31fd240eaa34b86973721bd8d6e776a47541c3504e0ac6b38266a791e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 15:58
Reported
2024-10-30 16:01
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\844cf036 = "M7l\x1e\u0081‹q§1\x0eDˆà…-\x19ÍYˆ…U\x18öP\u008f>\f—•=è\x18Þ\u009d\u00a0¹@¾A%ø](àèà¥@A\x05€\be(F\x05U¸µŽ\x10˜Õ5¹`eæ¦%}\r\u0090vmé¡\bé¶\x18¹-¾n}¢Ð5Ø\u008d\bî&𱀉\x18ñq¥…" | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\844cf036 = "M7l\x1e\u0081‹q§1\x0eDˆà…-\x19ÍYˆ…U\x18öP\u008f>\f—•=è\x18Þ\u009d\u00a0¹@¾A%ø](àèà¥@A\x05€\be(F\x05U¸µŽ\x10˜Õ5¹`eæ¦%}\r\u0090vmé¡\bé¶\x18¹-¾n}¢Ð5Ø\u008d\bî&𱀉\x18ñq¥…" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
| PID 4180 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
| PID 4180 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe
"C:\Users\Admin\AppData\Local\Temp\c4e0e7cf30e803194c47b2b58ec46f5023d0929250cb419938eb3c24c9460310N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 95.100.195.29:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | 29.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 69.162.80.62:80 | lysyfyj.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
Files
memory/4180-0-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/4180-1-0x0000000002230000-0x0000000002281000-memory.dmp
memory/4180-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 5e268b8371a5e9ecb8b192ea0efbce6b |
| SHA1 | bfbff31339547b9e54c54dc14dc37a1e65674495 |
| SHA256 | 0d4f2a679bf8155c5d6b147c220efdfee4f2d68d38ea51f5b7803d870f9a0423 |
| SHA512 | 0f6ad10efad300dab38c5cd5d6859dc725ec7fd913affc99c0a4eade80402bdf301fa78976368341512f5c0dff9638df2db8c3ca070e53d7a3a950a431c67240 |
memory/3496-12-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3496-13-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/4180-16-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4180-15-0x0000000002230000-0x0000000002281000-memory.dmp
memory/4180-14-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3496-17-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3496-18-0x0000000002A00000-0x0000000002AA8000-memory.dmp
memory/3496-19-0x0000000000400000-0x00000000004C7000-memory.dmp
memory/3496-20-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-22-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-24-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-26-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-77-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-79-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-76-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-75-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-74-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-73-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-72-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-71-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-70-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-68-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-67-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-66-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-63-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-62-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-61-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-60-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-59-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-58-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-57-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-56-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-55-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-54-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-53-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-52-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-51-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-50-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-49-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-47-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-46-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-45-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-44-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-43-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-42-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-40-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-38-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-37-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-35-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-36-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-28-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-34-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-33-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-32-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-30-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-29-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-25-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-69-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-65-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-64-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-48-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-41-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-39-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-31-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
memory/3496-27-0x0000000002BF0000-0x0000000002CA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC1F.tmp
| MD5 | 4f0f732507a3ce4085f5cfe083169449 |
| SHA1 | 967c23df6dd44f1f7fa89d4acc692fc7825e15ce |
| SHA256 | 8cb4b7ec22785f2645b99b81248091ec3d73dae87d95765a3f4a0b1d686bbed5 |
| SHA512 | b40a34b7d1e2d98b2c3053fc70239367687319f66a714aa231f64ddfb5e0853a1e1271a9a59cb07fbf8dcd7133e00cb8f87eacbcf23155f26c7ea4ecfceb6518 |