Analysis Overview
SHA256
dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577
Threat Level: Known bad
The file dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N was found to be: Known bad.
Malicious Activity Summary
simda
Modifies WinLogon for persistence
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 13:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 13:24
Reported
2024-09-19 13:26
Platform
win7-20240903-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5dd93766 = "ÂW\x03'w›\x128A\x02\x1dÆ}¨8/•ÎÇF®W©\x11o<QnÜy\x1f\x02\x1d\x17R\u008d*¸&\x1aÙ\x18n5x¢\x11Ò\bmrA@`’âOú>æ(XßšHÿ·7êªÈï" | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5dd93766 = "ÂW\x03'w›\x128A\x02\x1dÆ}¨8/•ÎÇF®W©\x11o<QnÜy\x1f\x02\x1d\x17R\u008d*¸&\x1aÙ\x18n5x¢\x11Ò\bmrA@`’âOú>æ(XßšHÿ·7êªÈï" | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2648 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2648 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2648 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2648 wrote to memory of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe
"C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.24:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 69.162.80.62:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/2648-0-0x0000000000220000-0x0000000000271000-memory.dmp
memory/2648-1-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 1f26731d19816fbf4d5d6cfa946322f0 |
| SHA1 | 13c339b5313de261bc5922322a56d5df076ea180 |
| SHA256 | 23044a3c88a45057d5380cd2de3684fc880671406ba94d3b0be959886cd4b370 |
| SHA512 | 7b82eded2275bce5e68132199613e7abaec60f70797596edc75ce18c0d4e67720c2773a3825c68af29c69d4b021dda734351ddede96db725c78a8c506a2dfd80 |
memory/2648-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2760-18-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2648-16-0x0000000000220000-0x0000000000271000-memory.dmp
memory/2648-15-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2760-19-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2760-20-0x00000000023C0000-0x0000000002468000-memory.dmp
memory/2760-30-0x00000000023C0000-0x0000000002468000-memory.dmp
memory/2760-26-0x00000000023C0000-0x0000000002468000-memory.dmp
memory/2760-31-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2760-24-0x00000000023C0000-0x0000000002468000-memory.dmp
memory/2760-22-0x00000000023C0000-0x0000000002468000-memory.dmp
memory/2760-28-0x00000000023C0000-0x0000000002468000-memory.dmp
memory/2760-32-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-36-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-34-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-38-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-49-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-84-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-83-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-82-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-81-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-80-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-79-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-78-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-77-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-76-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-74-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-73-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-72-0x0000000002570000-0x0000000002626000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\876F.tmp
| MD5 | 3f9acf573c44fa83d4782c8c1eea227a |
| SHA1 | 6275c44e533d8db41b19fda1089ab3230b0e33ba |
| SHA256 | b88f27de192f76d9627eb1ca579296dd11817ed212a5fef1cdba0490fee4cb08 |
| SHA512 | e37cb08ed9329e60b97de1c680d84963af48ef3c365b71cfb81cc4f9dff6d4200a001978f7de95ca7f7994db55da21c47cc52d1245d1d2c032d8d1aa2f18d37b |
memory/2760-71-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-70-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-69-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-68-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-67-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-66-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-65-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-64-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-63-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-62-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-61-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-59-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-58-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-57-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-56-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-55-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-54-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-53-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-52-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-51-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-50-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-48-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-47-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-46-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-45-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-44-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-75-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-43-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-42-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-60-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-41-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-40-0x0000000002570000-0x0000000002626000-memory.dmp
memory/2760-39-0x0000000002570000-0x0000000002626000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 13:24
Reported
2024-09-19 13:26
Platform
win10v2004-20240802-en
Max time kernel
111s
Max time network
117s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4212101f = "F\u0081OTn\x1fY|Nöƒeƒ\rDl`6Åï\u008fõÞÉ€\u008f!\x17\"×\x14ÝdÓ\r3%\\ëÉœ¤\vC!\x05ï5e¤”l7Uü/4…ÅÓ¤M‹œ…{\x1c›‡ñÍ%\x15q½Õ-ã§“\x1c5íÛa<,Å_\r\x7f/gÕü¥ÙŸ\x7fu‹\x19u¹¹59¥it‡gO—µ…[ÓM‘U\x05\u008dY5£\u00ad3mý\x01Qí¡y\a·qý¿!\u0081\x04$Ó±{DÄëI}5%\x1b\x01í-‡¹k\x1d‹¥ÃÝ\vw\u008dó5\u008d÷ƒIKuåÇ\v\x0fÑ_Ó\u0081¡‹ac9íõ5ÑÁ\x05\u008foE\x11ÇyÌ4YõýË\x17ýóS\v!Ý\u009dL;\x7f\u008dy±iÌ\x1b¥%ó”ÃW?ÔWÉoE©i\u00adm\u008d¡\t\x15\x05\u009d[m\x01\u0081ÔÛ\x03“\x1bD\u008d#" | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4212101f = "F\u0081OTn\x1fY|Nöƒeƒ\rDl`6Åï\u008fõÞÉ€\u008f!\x17\"×\x14ÝdÓ\r3%\\ëÉœ¤\vC!\x05ï5e¤”l7Uü/4…ÅÓ¤M‹œ…{\x1c›‡ñÍ%\x15q½Õ-ã§“\x1c5íÛa<,Å_\r\x7f/gÕü¥ÙŸ\x7fu‹\x19u¹¹59¥it‡gO—µ…[ÓM‘U\x05\u008dY5£\u00ad3mý\x01Qí¡y\a·qý¿!\u0081\x04$Ó±{DÄëI}5%\x1b\x01í-‡¹k\x1d‹¥ÃÝ\vw\u008dó5\u008d÷ƒIKuåÇ\v\x0fÑ_Ó\u0081¡‹ac9íõ5ÑÁ\x05\u008foE\x11ÇyÌ4YõýË\x17ýóS\v!Ý\u009dL;\x7f\u008dy±iÌ\x1b¥%ó”ÃW?ÔWÉoE©i\u00adm\u008d¡\t\x15\x05\u009d[m\x01\u0081ÔÛ\x03“\x1bD\u008d#" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 100 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
| PID 100 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
| PID 100 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe
"C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 95.101.143.184:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 69.162.80.62:80 | lysyfyj.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/100-0-0x00000000022F0000-0x0000000002341000-memory.dmp
memory/100-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | ee86194d1d25588c1565fd3ce1b5a224 |
| SHA1 | 5a3347e8040db1b6bef2035d2c6c89e41c01f042 |
| SHA256 | 0df549fe96f66bd450520acff5cb4ee0fbbe8e2bc04f3c48cf3f054b93657fb8 |
| SHA512 | 1e7bfed0c67cbf093cb577ff5cf7da2e40594fbc3868562226dd77530130de3ab73cb54aa17d3a1311dcec460a1d4201b54fd058b207915434f636a9deab1e98 |
memory/100-12-0x0000000000400000-0x000000000045F000-memory.dmp
memory/100-10-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/100-11-0x00000000022F0000-0x0000000002341000-memory.dmp
memory/2420-14-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2420-15-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2420-16-0x00000000028D0000-0x0000000002978000-memory.dmp
memory/2420-17-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2420-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2420-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp