Malware Analysis Report

2024-12-07 15:00

Sample ID 241101-lmqzcazarg
Target 3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N
SHA256 3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079

Threat Level: Known bad

The file 3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

Simda family

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-01 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-01 09:39

Reported

2024-11-01 09:41

Platform

win7-20241010-en

Max time kernel

112s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\382e63 = "å5zïIÌQKádDÉ,\n\x1cg&Ì(Håzò(\x1b7ŸG‹_©ä„äUY\f„¾\u0090jÒ!bqÙÎÐ+pn\n\u00a0À–„‚×vÆÔp·\x1e–9'\fZ\x1eJ\x18Àü\x13„q²„œõèS\x03NÞÝ-²ú\n$'Ìëäj" C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\382e63 = "å5zïIÌQKádDÉ,\n\x1cg&Ì(Håzò(\x1b7ŸG‹_©ä„äUY\f„¾\u0090jÒ!bqÙÎÐ+pn\n\u00a0À–„‚×vÆÔp·\x1e–9'\fZ\x1eJ\x18Àü\x13„q²„œõèS\x03NÞÝ-²ú\n$'Ìëäj" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe

"C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 2.22.249.50:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gadyniw.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 69.162.80.55:80 lysyfyj.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 172.234.222.138:80 vojyqem.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 172.234.222.138:80 vojyqem.com tcp
US 104.21.30.183:443 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 104.21.30.183:443 qegyhig.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 107.178.223.183:80 lygynud.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 112.29.210.31:80 lyrysor.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 112.29.210.31:80 lyrysor.com tcp

Files

memory/564-0-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/564-1-0x00000000002D0000-0x0000000000321000-memory.dmp

memory/564-2-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 36646ce23c5bd894e8b32470badde0e4
SHA1 4222cec3f679c3084184f6708f61dc74d7228cb7
SHA256 b517d2fe146fb85bca24dee21c8db49696e94eeead78a275dfd74fb481163cee
SHA512 68759aab272e24792fba495c6bb57a525bf9ed68e2a7c3c43b4933f0d2b5a99d6eea47e9298ad614474ef7a3b52e378b749a18430856dc820e7a79a8598560c5

memory/564-19-0x0000000000400000-0x000000000045F000-memory.dmp

memory/564-16-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/2820-18-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/2820-20-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/564-17-0x00000000002D0000-0x0000000000321000-memory.dmp

memory/2820-30-0x00000000024F0000-0x0000000002598000-memory.dmp

memory/2820-32-0x00000000024F0000-0x0000000002598000-memory.dmp

memory/2820-28-0x00000000024F0000-0x0000000002598000-memory.dmp

memory/2820-26-0x00000000024F0000-0x0000000002598000-memory.dmp

memory/2820-25-0x00000000024F0000-0x0000000002598000-memory.dmp

memory/2820-22-0x00000000024F0000-0x0000000002598000-memory.dmp

memory/2820-21-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/2820-33-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-35-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-38-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/2820-37-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-40-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-50-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-49-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-82-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-80-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-78-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-77-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-75-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-73-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-72-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-70-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-68-0x00000000026A0000-0x0000000002756000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7FB5.tmp

MD5 b6b829166e114b6022fa820f590fae92
SHA1 5596d8928764206914079da76c6cafc16fb3ff5e
SHA256 5e9bd989e6e10939654acb8b23d6088eadbe70b0910b655f8205cf0fd9a314d7
SHA512 bee444ae9466c2e1425cff4f8b0e0f9716f2efd0921efcb18d5a8cabf3824fe3d3464431e24b889d4e5fde9c155caebe7dbe283655c94c74b2c1f0058f3b3400

memory/2820-66-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-65-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-64-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-63-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-61-0x00000000026A0000-0x0000000002756000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7EE2.tmp

MD5 fab092917525e43d8f67df4dcb85f041
SHA1 a9a460471981d63ffca57cff780ddfbd58eea94c
SHA256 b947bb37887dc89e7eaa62ec7ed208f7fc378c1bcc674423c16f222ab1eafe9f
SHA512 c9232452f93ec47487f69cbdc20c2344e9ca223500a42f00089e65553299ff5a4c15ec4fdc99ec3605d96d2ce24a8f11d881932ec41cf1f1cc5534e5624b9e90

memory/2820-60-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-58-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-56-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-54-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-53-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-51-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-48-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-47-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-85-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-83-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-81-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-79-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-45-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-44-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-76-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-74-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-71-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-43-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-69-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-67-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-42-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-62-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-59-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-41-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-57-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-55-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-52-0x00000000026A0000-0x0000000002756000-memory.dmp

memory/2820-46-0x00000000026A0000-0x0000000002756000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-01 09:39

Reported

2024-11-01 09:41

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e481cedb = "£\x1fùàaYî\x02\n.©l’]àÌy®U\u0081¹Ì1åõdñSX\x05ÀÒ\u00a0E:oÊ×\x18½ú\u009d¿ýÂPJ:Å\r\u009dÝ•R:R?}\u00adŸ\b\x12mb0*5Ý5ê\x17íª\x12\a¢ø2Ýšúï½}ˆ\x7f\u00ad8\"Z\x12\x7fŠJÂ:%Jå…\x05½rç_µ2\x1f\"ߪ…uâø‚\u008d\x10ÕíHÍ\x1d\x0fº°\"\u008f\x1a¿g²Ðí\x1aU:" C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e481cedb = "£\x1fùàaYî\x02\n.©l’]àÌy®U\u0081¹Ì1åõdñSX\x05ÀÒ\u00a0E:oÊ×\x18½ú\u009d¿ýÂPJ:Å\r\u009dÝ•R:R?}\u00adŸ\b\x12mb0*5Ý5ê\x17íª\x12\a¢ø2Ýšúï½}ˆ\x7f\u00ad8\"Z\x12\x7fŠJÂ:%Jå…\x05½rç_µ2\x1f\"ߪ…uâø‚\u008d\x10ÕíHÍ\x1d\x0fº°\"\u008f\x1a¿g²Ðí\x1aU:" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe

"C:\Users\Admin\AppData\Local\Temp\3561ab51469b0498f919686a1ed3ce1e0f139b8165d18f6a72193d6d1c098079N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 2.22.249.4:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 4.249.22.2.in-addr.arpa udp
US 208.100.26.245:80 lyvyxor.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 puzylyp.com udp
DE 178.162.203.211:80 gatyfus.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 69.162.80.55:80 lysyfyj.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 55.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 44.221.84.105:80 vocyzit.com tcp
US 8.8.8.8:53 qetyfuv.com udp
US 18.208.156.248:80 vonypom.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 172.67.173.131:443 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 225.71.79.5.in-addr.arpa udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
US 76.223.54.146:80 pupydeq.com tcp
US 107.178.223.183:80 lygynud.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:80 lysyvan.com tcp
CN 112.29.210.31:80 lyrysor.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 151.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 udp
CN 112.29.210.31:80 lyrysor.com tcp

Files

memory/3212-0-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/3212-1-0x0000000002420000-0x0000000002471000-memory.dmp

memory/3212-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 bee8b3f37596efb807cd7e3a126215d5
SHA1 bf5fcac58fdc09224d8412ba1ac27ab708fa2bad
SHA256 1d6674818a1db9c6ae7054da50331d1c3a1f291442a35ef72ff74b37440e400a
SHA512 326f80adc9e2421e09714b586dacc0a5327d0f3a51e56f91fb653b4f780bfdbe7baf9ffff4b3b51b55b4faae5dc089488c952fa6c5c8bed0f1a920e4484dde05

memory/3212-11-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/3212-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3616-15-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/3616-16-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/3212-12-0x0000000002420000-0x0000000002471000-memory.dmp

memory/3616-17-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/3616-18-0x0000000002C00000-0x0000000002CA8000-memory.dmp

memory/3616-19-0x0000000000400000-0x00000000006D0000-memory.dmp

memory/3616-24-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-22-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-20-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-35-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-38-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-79-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-78-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-77-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-76-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-75-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-74-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-73-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-72-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-71-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-69-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-68-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-66-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-65-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-64-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-63-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-62-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-61-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-60-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-59-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-58-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-57-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-56-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-55-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-54-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-53-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-51-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-50-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-48-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-47-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-46-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-45-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-44-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-43-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-42-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-41-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-40-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-39-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-37-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-36-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-32-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-31-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-30-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-29-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-28-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-27-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-70-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-67-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-25-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-52-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-49-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-34-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-33-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

memory/3616-26-0x0000000002DF0000-0x0000000002EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\743F.tmp

MD5 dafad34a6cc123ba041bb7121b00570c
SHA1 f4a42768ea2d4aaee76573c94939031c1bcafedf
SHA256 bfa7e1c2bd7dfbb307303292f8928fa06aeb0364f3231f00f241f0ef17a1201c
SHA512 428aacd9150709b5aff843d066554d1716de6f8dbc29143fc4b04e1a4bb0f5adc34d1137fff3343912efaf01cc77805cf2dee83cebdbbe60cb02f43b02b6e22a

C:\Users\Admin\AppData\Local\Temp\7310.tmp

MD5 c25c0be7afa4977726b0e3b7fdce76e5
SHA1 592404ee1d70e95d09411d328405791370289852
SHA256 873c26895acd2231b2171d66b6046717d58e106b847574f09bfde4da01fd50ce
SHA512 c7dff716afad6e8f66c726b110edaea98f763257dbc807d00c53a5e2fce4315c0bc07f81bd52ac6f2b0b9c86f3fbfbd0b520ff495502001a0042a4df9a016c45