Analysis Overview
SHA256
64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474
Threat Level: Known bad
The file 64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe was found to be: Known bad.
Malicious Activity Summary
simda
Simda family
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 01:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 01:04
Reported
2024-11-20 01:06
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3eb6a7be = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vojyqem.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lygynud.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\qetyfuv.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2536 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2536 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2536 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2536 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe
"C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.219:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 199.59.243.227:80 | vojyqem.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.135.99:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 3.94.10.34:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
memory/2536-1-0x0000000000230000-0x0000000000233000-memory.dmp
memory/2536-0-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2536-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\AppPatch\svchost.exe
| MD5 | bb7d015eb1b9bb25c83a8c3e7df30f8e |
| SHA1 | 74f53d1b6c8a89b78513989078edb4ecb007912d |
| SHA256 | b335eeb3b3429f452c2a4bcc0054080a176e7e75131603206be0c1dd63799798 |
| SHA512 | 4dca8d5b741a6093b40de385d2a38c3c4853abba8967984af0eb066d4d872bf9c769a96f343dc48cf69ed451133aaa7052f420e64753d2e9df9ad95aee812d2a |
memory/2428-20-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2536-19-0x00000000021A0000-0x0000000002205000-memory.dmp
memory/2536-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2536-17-0x0000000000230000-0x0000000000233000-memory.dmp
memory/2536-16-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2428-21-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2428-22-0x0000000002490000-0x000000000253A000-memory.dmp
memory/2428-26-0x0000000002490000-0x000000000253A000-memory.dmp
memory/2428-32-0x0000000002490000-0x000000000253A000-memory.dmp
memory/2428-33-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2428-30-0x0000000002490000-0x000000000253A000-memory.dmp
memory/2428-28-0x0000000002490000-0x000000000253A000-memory.dmp
memory/2428-24-0x0000000002490000-0x000000000253A000-memory.dmp
memory/2428-37-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-34-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-38-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-56-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-61-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-86-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-85-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-84-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-83-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-82-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-81-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-80-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-79-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-78-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-77-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-76-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-75-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-73-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-72-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-71-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-70-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-69-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-68-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-67-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-66-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-65-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-64-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-63-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-62-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-60-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-59-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-58-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-57-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-55-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-54-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-53-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-52-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-51-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-50-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-49-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-47-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-46-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-45-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-44-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-74-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-43-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-42-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-41-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-48-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2428-40-0x0000000002640000-0x00000000026F7000-memory.dmp
memory/2536-155-0x00000000021A0000-0x0000000002205000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XUNBX2YX\login[1].htm
| MD5 | d57e3a550060f85d44a175139ea23021 |
| SHA1 | 2c5cb3428a322c9709a34d04dd86fe7628f8f0a6 |
| SHA256 | 43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c |
| SHA512 | 0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 01:04
Reported
2024-11-20 01:06
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\aa54e890 = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\qetyfuv.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\puzylyp.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vojyqem.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\gatyfus.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lygynud.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2128 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2128 wrote to memory of 472 | N/A | C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe
"C:\Users\Admin\AppData\Local\Temp\64f2d31c7610db0fe79090084f98718c3b033f938bf081c4521cf92e564bd474N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| GB | 88.221.135.33:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 199.59.243.227:80 | vojyqem.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 33.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 225.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 3.94.10.34:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
memory/2128-0-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2128-1-0x00000000004C0000-0x00000000004C3000-memory.dmp
memory/2128-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 1000e2aa3b4b65fd69b5eb9e2ccc8843 |
| SHA1 | 9c2774d12a924b1c1f16a5e8996c09b820dd01f9 |
| SHA256 | b28fc48a418512fcd21cd6127f02cde8144b810bf902bfb61f30ce21eea150cf |
| SHA512 | 3f2926a271155e56f5d56748854d074cd40b702f26832471b94ecbdc8e56dbaffca87a3aa8526fcf1fc84c0392977fed55ad001079e990fdcaf9660419275174 |
memory/472-13-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2128-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2128-17-0x00000000004C0000-0x00000000004C3000-memory.dmp
memory/2128-16-0x0000000000400000-0x0000000000465000-memory.dmp
memory/472-19-0x0000000000400000-0x0000000000465000-memory.dmp
memory/472-20-0x0000000000400000-0x0000000000465000-memory.dmp
memory/472-21-0x0000000002A00000-0x0000000002AAA000-memory.dmp
memory/472-22-0x0000000000400000-0x0000000000465000-memory.dmp
memory/472-23-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-25-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-27-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-45-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-46-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-84-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-83-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-82-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-81-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-80-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-79-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-78-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-77-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-76-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-75-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-74-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-72-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-71-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-70-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-69-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-68-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-67-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-65-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-64-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-62-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-60-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-61-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-59-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-58-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-56-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-55-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-54-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-53-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-52-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-51-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-50-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-49-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-48-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-44-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-43-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-42-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-41-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-40-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-39-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-38-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-37-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-36-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-35-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-34-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-33-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-31-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-29-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-30-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-73-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-66-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-63-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-57-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-47-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-32-0x0000000002BB0000-0x0000000002C67000-memory.dmp
memory/472-28-0x0000000002BB0000-0x0000000002C67000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\PFFTX4R2\login[1].htm
| MD5 | d57e3a550060f85d44a175139ea23021 |
| SHA1 | 2c5cb3428a322c9709a34d04dd86fe7628f8f0a6 |
| SHA256 | 43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c |
| SHA512 | 0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063 |