Analysis Overview
SHA256
8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9
Threat Level: Known bad
The file 8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe was found to be: Known bad.
Malicious Activity Summary
Simda family
simda
Modifies WinLogon for persistence
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 23:29
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 23:29
Reported
2024-11-17 23:31
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2707c26e = "uÕX\a\x1fÔB˜ Á¬Þ6Šò'Îm\u0090†\x1cÄlç\x1d´{^IJU÷²î`^tò×\u008fç\x17ÈòVÚ\u0090\x12\x06BÒßWæß\u008f\x12N\n|Þ¿§\x0f7.:ÇŠ®§\"ZÊÐJ*\x18‡Fïvâ†G\x12`4wǘ÷jon\a\x12úºR¬zÿ¾^<Ÿ×çâÒ6Ò/f>\x0eÊÿ\x12¢¿JàfLú.4Rn¸Ž\u00a0pȇÇj\u008fЇ:zÂ_´ºú\fï<_‡,(ÌZ’ä§\x1aòð\f¾Ê\u008fʯ_b:xÇ®`ÀVBZ‚Žº\a\x12¯ïï\x1f$rÇ:ö>n¢x|rZÿ:<’Ê¢\x12Ê" | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2707c26e = "uÕX\a\x1fÔB˜ Á¬Þ6Šò'Îm\u0090†\x1cÄlç\x1d´{^IJU÷²î`^tò×\u008fç\x17ÈòVÚ\u0090\x12\x06BÒßWæß\u008f\x12N\n|Þ¿§\x0f7.:ÇŠ®§\"ZÊÐJ*\x18‡Fïvâ†G\x12`4wǘ÷jon\a\x12úºR¬zÿ¾^<Ÿ×çâÒ6Ò/f>\x0eÊÿ\x12¢¿JàfLú.4Rn¸Ž\u00a0pȇÇj\u008fЇ:zÂ_´ºú\fï<_‡,(ÌZ’ä§\x1aòð\f¾Ê\u008fʯ_b:xÇ®`ÀVBZ‚Žº\a\x12¯ïï\x1f$rÇ:ö>n¢x|rZÿ:<’Ê¢\x12Ê" | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 736 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
| PID 736 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
| PID 736 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe
"C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| GB | 95.101.143.219:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | 219.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 199.59.243.227:80 | vojyqem.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 225.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 3.94.10.34:80 | lygynud.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
memory/736-0-0x00000000022F0000-0x0000000002341000-memory.dmp
memory/736-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | dff4053da00137391dd982e44de14359 |
| SHA1 | fa083375a9ba3bb372268c272db8553ffdab68f6 |
| SHA256 | a1579c197e963b276c490c5961f7705b1145a87f2b062938f86f309c056d5b4d |
| SHA512 | 9043dd32c439fd3c21077eb93885087c8e345785db1112c21b099a727b9f20dd6b401766365ad07dab4d540ececc7ffb794c574d677f2681490a0d57902f0c8e |
memory/736-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/736-12-0x00000000022F0000-0x0000000002341000-memory.dmp
memory/3476-14-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/736-11-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/3476-15-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/3476-16-0x00000000028D0000-0x0000000002978000-memory.dmp
memory/3476-17-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/3476-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3476-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 23:29
Reported
2024-11-17 23:31
Platform
win7-20241010-en
Max time kernel
111s
Max time network
125s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\a8f77683 = "\x1f\x06w\tZ×—„ä\a%" | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\a8f77683 = "\x1f\x06w\tZ×—„ä\a%" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2304 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2304 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2304 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe
"C:\Users\Admin\AppData\Local\Temp\8aa3bc826c69ebb2d165db8f4d42426566b6addb7e7f80c0a36e34a9b685f4d9N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.201:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 199.59.243.227:80 | vojyqem.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | ww8.galyqaz.com | udp |
| US | 173.255.194.134:80 | ww8.galyqaz.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 3.94.10.34:80 | lygynud.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
memory/2304-0-0x0000000000740000-0x0000000000791000-memory.dmp
memory/2304-1-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | ef654f67f9c8cdd896df3ca4b7d22e4f |
| SHA1 | 2ceb7e0c179e80bc81f92e0ba62c214a99fa93d1 |
| SHA256 | f9d6bd927617efd1637d6fa06ab2fd4aaa313881cdcaa6ce084702eb7a71c132 |
| SHA512 | 124ef7dda01d169791a77e5d6edb4daaf04151c330fd6120ccb5fa62b0da6d61da6a46e91354f519eefb87b9b55a862140ac837e834b0258950b0b69ad0ed68a |
memory/2304-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2304-16-0x0000000000740000-0x0000000000791000-memory.dmp
memory/2304-15-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2968-18-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2968-19-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2968-20-0x0000000002420000-0x00000000024C8000-memory.dmp
memory/2968-22-0x0000000002420000-0x00000000024C8000-memory.dmp
memory/2968-30-0x0000000002420000-0x00000000024C8000-memory.dmp
memory/2968-29-0x0000000002420000-0x00000000024C8000-memory.dmp
memory/2968-31-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2968-26-0x0000000002420000-0x00000000024C8000-memory.dmp
memory/2968-24-0x0000000002420000-0x00000000024C8000-memory.dmp
memory/2968-32-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-36-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-34-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-48-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-53-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-84-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-82-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-81-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-80-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-79-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-78-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-77-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-76-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-74-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-73-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-72-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-71-0x00000000025D0000-0x0000000002686000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96C.tmp
| MD5 | 355d49a4e64d93ab43ba4c76955b63df |
| SHA1 | 1b2d682f7f296798dd3f6e49ed2f8170dd975b71 |
| SHA256 | 8264bfe819082fbedf2017262bcf16443868f658a7dae28edbe5bbd83464b228 |
| SHA512 | 69176b621f339afb2376288324421138cb3aee2762601c127616eeeb18c5d52c46b6fed74b5d0c2419f58454126bf8f2f684bf6c398ec8149dfa163c94b131c5 |
memory/2968-70-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-69-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-68-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-67-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-65-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-64-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-63-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-62-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-61-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-60-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-59-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-57-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-56-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-55-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-54-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-52-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-51-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-50-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-49-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-47-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-46-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-45-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-44-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-83-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-43-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-75-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-42-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-41-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-66-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-40-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-58-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-39-0x00000000025D0000-0x0000000002686000-memory.dmp
memory/2968-38-0x00000000025D0000-0x0000000002686000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89A.tmp
| MD5 | 765a6580066709a27907b9df38eaa15e |
| SHA1 | 946a629b97cb07262ff4fc7b347e9b82352787d7 |
| SHA256 | 9db3a1dbfc57a43c3e420acc5335113785a16cc46f14d57a53f370a838d565d5 |
| SHA512 | 7e50220a7a8b1a4670b9fd20ed47d7477976f0c4f96812a3feef0f11363573e8899603615971b22769b51ffc59fe61bc7e81b30981da7f1b5b1eb8e2fe4491df |