Malware Analysis Report

2025-06-16 00:30

Sample ID 240919-qnrz9a1drk
Target dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N
SHA256 dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577

Threat Level: Known bad

The file dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Modifies WinLogon for persistence

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 13:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 13:24

Reported

2024-09-19 13:26

Platform

win7-20240903-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5dd93766 = "ÂW\x03'w›\x128A\x02\x1dÆ}¨8/•ÎÇF®W©\x11o<QnÜy\x1f\x02\x1d\x17R\u008d*¸&\x1aÙ\x18n5x¢\x11Ò\bmrA@`’âOú>æ(XßšHÿ·7êªÈï" C:\Windows\apppatch\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\5dd93766 = "ÂW\x03'w›\x128A\x02\x1dÆ}¨8/•ÎÇF®W©\x11o<QnÜy\x1f\x02\x1d\x17R\u008d*¸&\x1aÙ\x18n5x¢\x11Ò\bmrA@`’âOú>æ(XßšHÿ·7êªÈï" C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe

"C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 88.221.135.24:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lymyxid.com udp
US 69.162.80.62:80 lysyfyj.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 172.234.222.143:80 vojyqem.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 galyqaz.com udp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
NL 5.79.71.225:80 gatyfus.com tcp
GB 142.250.200.35:80 c.pki.goog tcp
US 104.21.30.183:443 qegyhig.com tcp
US 13.248.252.114:80 puzylyp.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 99.83.138.213:80 puzylyp.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupycag.com udp
US 104.21.26.151:80 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp

Files

memory/2648-0-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2648-1-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 1f26731d19816fbf4d5d6cfa946322f0
SHA1 13c339b5313de261bc5922322a56d5df076ea180
SHA256 23044a3c88a45057d5380cd2de3684fc880671406ba94d3b0be959886cd4b370
SHA512 7b82eded2275bce5e68132199613e7abaec60f70797596edc75ce18c0d4e67720c2773a3825c68af29c69d4b021dda734351ddede96db725c78a8c506a2dfd80

memory/2648-17-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2760-18-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2648-16-0x0000000000220000-0x0000000000271000-memory.dmp

memory/2648-15-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2760-19-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2760-20-0x00000000023C0000-0x0000000002468000-memory.dmp

memory/2760-30-0x00000000023C0000-0x0000000002468000-memory.dmp

memory/2760-26-0x00000000023C0000-0x0000000002468000-memory.dmp

memory/2760-31-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2760-24-0x00000000023C0000-0x0000000002468000-memory.dmp

memory/2760-22-0x00000000023C0000-0x0000000002468000-memory.dmp

memory/2760-28-0x00000000023C0000-0x0000000002468000-memory.dmp

memory/2760-32-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-36-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-34-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-38-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-49-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-84-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-83-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-82-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-81-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-80-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-79-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-78-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-77-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-76-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-74-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-73-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-72-0x0000000002570000-0x0000000002626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\876F.tmp

MD5 3f9acf573c44fa83d4782c8c1eea227a
SHA1 6275c44e533d8db41b19fda1089ab3230b0e33ba
SHA256 b88f27de192f76d9627eb1ca579296dd11817ed212a5fef1cdba0490fee4cb08
SHA512 e37cb08ed9329e60b97de1c680d84963af48ef3c365b71cfb81cc4f9dff6d4200a001978f7de95ca7f7994db55da21c47cc52d1245d1d2c032d8d1aa2f18d37b

memory/2760-71-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-70-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-69-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-68-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-67-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-66-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-65-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-64-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-63-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-62-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-61-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-59-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-58-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-57-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-56-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-55-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-54-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-53-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-52-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-51-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-50-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-48-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-47-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-46-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-45-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-44-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-75-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-43-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-42-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-60-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-41-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-40-0x0000000002570000-0x0000000002626000-memory.dmp

memory/2760-39-0x0000000002570000-0x0000000002626000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 13:24

Reported

2024-09-19 13:26

Platform

win10v2004-20240802-en

Max time kernel

111s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4212101f = "F\u0081OTn\x1fY|Nöƒeƒ\rDl`6Åï\u008fõÞÉ€\u008f!\x17\"×\x14ÝdÓ\r3%\\ëÉœ¤\vC!\x05ï5e¤”l7Uü/4…ÅÓ¤M‹œ…{\x1c›‡ñÍ%\x15q½Õ-ã§“\x1c5íÛa<,Å_\r\x7f/gÕü¥ÙŸ\x7fu‹\x19u¹¹59¥it‡gO—µ…[ÓM‘U\x05\u008dY5£\u00ad3mý\x01Qí¡y\a·qý¿!\u0081\x04$Ó±{DÄëI}5%\x1b\x01í-‡¹k\x1d‹¥ÃÝ\vw\u008dó5\u008d÷ƒIKuåÇ\v\x0fÑ_Ó\u0081¡‹ac9íõ5ÑÁ\x05\u008foE\x11ÇyÌ4YõýË\x17ýóS\v!Ý\u009dL;\x7f\u008dy±iÌ\x1b¥%ó”ÃW?ÔWÉoE©i\u00adm\u008d¡\t\x15\x05\u009d[m\x01\u0081ÔÛ\x03“\x1bD\u008d#" C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4212101f = "F\u0081OTn\x1fY|Nöƒeƒ\rDl`6Åï\u008fõÞÉ€\u008f!\x17\"×\x14ÝdÓ\r3%\\ëÉœ¤\vC!\x05ï5e¤”l7Uü/4…ÅÓ¤M‹œ…{\x1c›‡ñÍ%\x15q½Õ-ã§“\x1c5íÛa<,Å_\r\x7f/gÕü¥ÙŸ\x7fu‹\x19u¹¹59¥it‡gO—µ…[ÓM‘U\x05\u008dY5£\u00ad3mý\x01Qí¡y\a·qý¿!\u0081\x04$Ó±{DÄëI}5%\x1b\x01í-‡¹k\x1d‹¥ÃÝ\vw\u008dó5\u008d÷ƒIKuåÇ\v\x0fÑ_Ó\u0081¡‹ac9íõ5ÑÁ\x05\u008foE\x11ÇyÌ4YõýË\x17ýóS\v!Ý\u009dL;\x7f\u008dy±iÌ\x1b¥%ó”ÃW?ÔWÉoE©i\u00adm\u008d¡\t\x15\x05\u009d[m\x01\u0081ÔÛ\x03“\x1bD\u008d#" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe

"C:\Users\Admin\AppData\Local\Temp\dc66742743486d506681ccc8dca238a1193be0f0815969e64d2e626271b7f577N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 95.101.143.184:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gatyfus.com udp
US 172.234.222.138:80 vojyqem.com tcp
US 8.8.8.8:53 puzylyp.com udp
US 23.253.46.64:80 gahyqah.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qegyhig.com udp
NL 85.17.31.82:80 gatyfus.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.138:80 vojyqem.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 62.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 199.191.50.83:80 galyqaz.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupycag.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 18.208.156.248:80 pupycag.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp

Files

memory/100-0-0x00000000022F0000-0x0000000002341000-memory.dmp

memory/100-1-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 ee86194d1d25588c1565fd3ce1b5a224
SHA1 5a3347e8040db1b6bef2035d2c6c89e41c01f042
SHA256 0df549fe96f66bd450520acff5cb4ee0fbbe8e2bc04f3c48cf3f054b93657fb8
SHA512 1e7bfed0c67cbf093cb577ff5cf7da2e40594fbc3868562226dd77530130de3ab73cb54aa17d3a1311dcec460a1d4201b54fd058b207915434f636a9deab1e98

memory/100-12-0x0000000000400000-0x000000000045F000-memory.dmp

memory/100-10-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/100-11-0x00000000022F0000-0x0000000002341000-memory.dmp

memory/2420-14-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2420-15-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2420-16-0x00000000028D0000-0x0000000002978000-memory.dmp

memory/2420-17-0x0000000000400000-0x00000000005AE000-memory.dmp

memory/2420-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2420-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp