Analysis Overview
SHA256
2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4
Threat Level: Known bad
The file 2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N was found to be: Known bad.
Malicious Activity Summary
simda
Simda family
Modifies WinLogon for persistence
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 12:12
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 12:12
Reported
2024-09-19 12:15
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b6551d5 = "˜ˆX©e’…Õ…Ñx\x1däÙzeæçT0q\f©¢u¯\x10âi*ûBr´´ZŒ’2tT¬\x1a6¬Ò3d1:ò´´Éôœ4KJ\fú\x04ŒœÚªrÒ\x04¹2V„$\x14\x11ÊÜz\x02\f²\x19\tòž\x1aäd4IC\\ìÊ‘\x1aÌ6\x1c\x12C¼Ò¦<Ži\x06²$\x12\"Rô\x01tt‰\f\\‚ÌA#â¬ëú™yÑv6Ù”Rv\f4d\\VÄ4Œ”3C‘TtÒë‰T$„z\x14\f$CÂ̺ª[ÂläZÔ\x02¼ŒŒº¬ªò‚NÊò´Rœ¶l\x01.ôÖ¼ž\x12ŠÓ”ÌšÜTËc¡Úd\x04Â22\\Œ»ÊÞÊz„<»$¬¢n,ÜÄ1Š\x14túKK\nÚ\x04kêÖ´Z„²Òª¡¾ÄCdëy\u0081ÄÎ\\" | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4b6551d5 = "˜ˆX©e’…Õ…Ñx\x1däÙzeæçT0q\f©¢u¯\x10âi*ûBr´´ZŒ’2tT¬\x1a6¬Ò3d1:ò´´Éôœ4KJ\fú\x04ŒœÚªrÒ\x04¹2V„$\x14\x11ÊÜz\x02\f²\x19\tòž\x1aäd4IC\\ìÊ‘\x1aÌ6\x1c\x12C¼Ò¦<Ži\x06²$\x12\"Rô\x01tt‰\f\\‚ÌA#â¬ëú™yÑv6Ù”Rv\f4d\\VÄ4Œ”3C‘TtÒë‰T$„z\x14\f$CÂ̺ª[ÂläZÔ\x02¼ŒŒº¬ªò‚NÊò´Rœ¶l\x01.ôÖ¼ž\x12ŠÓ”ÌšÜTËc¡Úd\x04Â22\\Œ»ÊÞÊz„<»$¬¢n,ÜÄ1Š\x14túKK\nÚ\x04kêÖ´Z„²Òª¡¾ÄCdëy\u0081ÄÎ\\" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2792 wrote to memory of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2792 wrote to memory of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2792 wrote to memory of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2792 wrote to memory of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe
"C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.17:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 69.162.80.57:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 69.162.80.57:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | 85625f30f2d4d78e32945ab6cfe11bb7 |
| SHA1 | ac86e850b98f8a2966b5e6c84f7ef4f4dd486c00 |
| SHA256 | d57a7cc28bb5417631685279b84e269a788c09990a68c6b6aff3b5aa1516fded |
| SHA512 | 0f4d2e9ae6560ba26f7bd2e0922c42f3a5adf65be849591790c642f3d72a54e9a5786f9f259bcb870a6e96ce9bc40314571292e7626ba04b0e90036c79a9701d |
memory/2792-13-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/3004-14-0x0000000001FD0000-0x0000000002078000-memory.dmp
memory/3004-20-0x0000000001FD0000-0x0000000002078000-memory.dmp
memory/3004-24-0x0000000001FD0000-0x0000000002078000-memory.dmp
memory/3004-22-0x0000000001FD0000-0x0000000002078000-memory.dmp
memory/3004-18-0x0000000001FD0000-0x0000000002078000-memory.dmp
memory/3004-16-0x0000000001FD0000-0x0000000002078000-memory.dmp
memory/3004-25-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-29-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-27-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-38-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-61-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-77-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-76-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-75-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-74-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-73-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-72-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-71-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-70-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-69-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-68-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-67-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-66-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-65-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-64-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-63-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-60-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-59-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-58-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-57-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-56-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-55-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-54-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-53-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-52-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-50-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-49-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-48-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-47-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-46-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-45-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-44-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-43-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-42-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-41-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-40-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-39-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-62-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-37-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-36-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-35-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-51-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-34-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-33-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-32-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-31-0x0000000002460000-0x0000000002516000-memory.dmp
memory/3004-190-0x0000000002460000-0x0000000002516000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 12:12
Reported
2024-09-19 12:15
Platform
win10v2004-20240802-en
Max time kernel
107s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b6919f15 = "L\u008d¦zëÙÿÚà¸I›«“Z¦wè\x13—Œ\x15v‹‚A\x13ŒZ\x1f\x18j\nc›³ÿß#u_\u008fššƒ\u008d[͇B/\x05\x1aÿ‡Õ£çKÕk\x17“MWÓU5/\x13E2ËJ}?rrECÅ*'…ƒŸ£\u00ad#›ç¢Ç£\u008dµ“Sòã‹—ïý*«\u00ad’2+£\x1a³õÚÃÇWË[Có\x0f\neâ¥e\x17Ç\x7fêõ\x0f‡‡×ƒKKzû3r÷¿C/sÏÚå§š[\x17«×oOr’Ç/ß«òÂs\x13g›\x05º“\"’KK\n]\x03B\x17Bº£Ÿ»K»#›³“ź*/Ý*b[s‹§šŠ{jõ\x1d‹§ò³_Û}Ý\x12rrgóB«Róª’•[\aUuo›Òe\"\x1a\u008fWOo\r¢\x17êâj[§[:«ó\a\a" | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b6919f15 = "L\u008d¦zëÙÿÚà¸I›«“Z¦wè\x13—Œ\x15v‹‚A\x13ŒZ\x1f\x18j\nc›³ÿß#u_\u008fššƒ\u008d[͇B/\x05\x1aÿ‡Õ£çKÕk\x17“MWÓU5/\x13E2ËJ}?rrECÅ*'…ƒŸ£\u00ad#›ç¢Ç£\u008dµ“Sòã‹—ïý*«\u00ad’2+£\x1a³õÚÃÇWË[Có\x0f\neâ¥e\x17Ç\x7fêõ\x0f‡‡×ƒKKzû3r÷¿C/sÏÚå§š[\x17«×oOr’Ç/ß«òÂs\x13g›\x05º“\"’KK\n]\x03B\x17Bº£Ÿ»K»#›³“ź*/Ý*b[s‹§šŠ{jõ\x1d‹§ò³_Û}Ý\x12rrgóB«Róª’•[\aUuo›Òe\"\x1a\u008fWOo\r¢\x17êâj[§[:«ó\a\a" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1520 wrote to memory of 4952 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1520 wrote to memory of 4952 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
| PID 1520 wrote to memory of 4952 | N/A | C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe
"C:\Users\Admin\AppData\Local\Temp\2b05c4a36ab6245b80384d16424f6b51eef7998253a860004efabee8303997c4N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| GB | 95.101.143.193:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.51:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 69.162.80.51:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 782641bb9012e009ca84f09dffeeeb70 |
| SHA1 | 784680a9b2ceaeeab4d59dd92dc845b21b38cd3a |
| SHA256 | d43f518c88f34c4f69dfc0bb7d64bf3df827ec60ac23008cc8528ddf56101e5f |
| SHA512 | a0f0a28aa8fe597ada0b770f9fd8f4ff3187f12c6537c977fe661c2ef513a622056ee73fc69d9eb95a6979b973837df5adf1aab5fe21791f1466d4d69e11b316 |
memory/4952-10-0x0000000002A00000-0x0000000002AA8000-memory.dmp
memory/4952-13-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-16-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-14-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-17-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BF0E.tmp
| MD5 | 6770a0860603241a726573e950cc143a |
| SHA1 | e99890e532f670b2eff524529077870f1353b182 |
| SHA256 | ee462dabc2e61ef7d5eb38fac5806a434f32f3557fa0210dbb9b76f4dd335ef3 |
| SHA512 | b5a74bf414295183316558051970a83c0c099a5c5cd3229b6615eef9d51d08fbd377903f2e16f2a82837651aa1b09da61bd2a96e8e8ea8dbcf99c8cc2099c897 |
memory/4952-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-21-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-19-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/4952-164-0x0000000002BB0000-0x0000000002C66000-memory.dmp