Analysis Overview
SHA256
25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706f
Threat Level: Known bad
The file 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN was found to be: Known bad.
Malicious Activity Summary
Simda family
Modifies WinLogon for persistence
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 14:11
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 14:11
Reported
2024-09-19 14:13
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\87b562d9 = "ó\nTa3FsaõÝv\tvè`)ž3øB|Tqú" | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\87b562d9 = "ó\nTa3FsaõÝv\tvè`)ž3øB|Tqú" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2092 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2092 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2092 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2092 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe
"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.11:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.61:80 | lysyfyj.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | 9c17dbca491af6b2559574b3cdff0c79 |
| SHA1 | 853045c615cb9117903435af771bc3f279e37a2e |
| SHA256 | a09c23421124a79138b3d1b6a4a2b2e516fd46e472d0e56a66ca400ccca4496a |
| SHA512 | 12715fc5c3b403a058ea970ca76516599d97bde425f24505b45784224dfa238d63f4e3f295d5b096a765b041d1a357b5ae48a8758e1be1c8882e978fe2b768de |
memory/2092-12-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2960-16-0x00000000021D0000-0x0000000002278000-memory.dmp
memory/2960-24-0x00000000021D0000-0x0000000002278000-memory.dmp
memory/2960-22-0x00000000021D0000-0x0000000002278000-memory.dmp
memory/2960-20-0x00000000021D0000-0x0000000002278000-memory.dmp
memory/2960-18-0x00000000021D0000-0x0000000002278000-memory.dmp
memory/2960-14-0x00000000021D0000-0x0000000002278000-memory.dmp
memory/2960-25-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-29-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-27-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-36-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-35-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-72-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-77-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-76-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-75-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-73-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-71-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-70-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-69-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-68-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-67-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-66-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-65-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-64-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-62-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-61-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-60-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-59-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-58-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-57-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-56-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-55-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-54-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-52-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-51-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-50-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-49-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-48-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-47-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-46-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-45-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-44-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-42-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-41-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-40-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-39-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-38-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-37-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-74-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-63-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-34-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-53-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-33-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-32-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-43-0x0000000002380000-0x0000000002436000-memory.dmp
memory/2960-31-0x0000000002380000-0x0000000002436000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A465.tmp
| MD5 | 9560ff959c6cab1d28b80541e24e4d39 |
| SHA1 | 1f27afb2868023f678465efe00e8897a09c357cd |
| SHA256 | f604f5363f6a345a1a0360e00e4cbb8f531cb7f81d569f956637d58ede403503 |
| SHA512 | 685de6f66a4457c4c21765832e6e4d441a67d31ab42cf9cff042ab7c46737a2af3e7cd08d3fed732655bd272b07283ab2f4125f165d03b71d9ccc08cbc0dd84e |
memory/2960-195-0x0000000002380000-0x0000000002436000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 14:11
Reported
2024-09-19 14:13
Platform
win10v2004-20240802-en
Max time kernel
106s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2708817d = "\x10޽ÄRòuMùéßpB|¼MFÁdퟢ×Á%‚…½QÛ†ŒcŒC>Bdü<Ò\x04\\œª,æ¼S2“\x16£û©¼òÄÜÙìâT\x1aâ\fD†º¬\x04|!\x04„cBRtJsœä2¬sÓÄ\x12lz|âö,ŒÌtÄë|<«A4™Ù\x1c‹I2;\x19Óbc™\x11ÌÒ¼Z\x02ò‚J\x16Ô+1|º\x11»òj¤£,œù)\fÄ‘é¬4ƒ;Á\n<›3SáÑéq:lTb\x142ª<:¢R\nšËSŒL¢Œ\\ë„,|ä3^$lºéòÆ3ü9äì\x1a\x14£*tƒ\fãüê\";\x03$¢‹³\x1a³ôSÆ2ë>ú“ãNÆ2!D&R´œûìj‘q*©:»jD$\x16c\v|Iú¢\x1b£ª³û:" | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2708817d = "\x10޽ÄRòuMùéßpB|¼MFÁdퟢ×Á%‚…½QÛ†ŒcŒC>Bdü<Ò\x04\\œª,æ¼S2“\x16£û©¼òÄÜÙìâT\x1aâ\fD†º¬\x04|!\x04„cBRtJsœä2¬sÓÄ\x12lz|âö,ŒÌtÄë|<«A4™Ù\x1c‹I2;\x19Óbc™\x11ÌÒ¼Z\x02ò‚J\x16Ô+1|º\x11»òj¤£,œù)\fÄ‘é¬4ƒ;Á\n<›3SáÑéq:lTb\x142ª<:¢R\nšËSŒL¢Œ\\ë„,|ä3^$lºéòÆ3ü9äì\x1a\x14£*tƒ\fãüê\";\x03$¢‹³\x1a³ôSÆ2ë>ú“ãNÆ2!D&R´œûìj‘q*©:»jD$\x16c\v|Iú¢\x1b£ª³û:" | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3612 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
| PID 3612 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
| PID 3612 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe
"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 23.192.237.204:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 204.237.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 7ef22343e7367928bffd70710fc01267 |
| SHA1 | 07bff131efdfae32a09cc89786e9e03fbcb50016 |
| SHA256 | 66648148e023069bfc5da3f35656dc146afb1c3f478e7c915d8254381c94a1eb |
| SHA512 | 625cec9538801bf3e09b57b39a6a9e900d3de7788a6ec82721977d08bd6d1ab7f9935fdfc7b791e360e5f92617fa9abe3920bb577a218a7b735ada39eb57d132 |
memory/3612-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4948-10-0x0000000002710000-0x00000000027B8000-memory.dmp
memory/4948-13-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-14-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-16-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-25-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-73-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-72-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-71-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-70-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-69-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-67-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-64-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-63-0x0000000002B00000-0x0000000002BB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8835.tmp
| MD5 | d6b7ebe5c5691ff3b236859f13a209cf |
| SHA1 | 0e00c58ac7ed908f5f60c59f6d7d1d19d70f89d8 |
| SHA256 | 2a6bc34b8f84b3fe6b0251f184386cefbbaec71e56a970a19b7cdf2bf9ec0819 |
| SHA512 | e03a71299e1626dff849e2ab6379ded29ba5255e713be909ad264e6b55dc61364c917d93f52cdf23cb7c8775a0bae6711702cb3ee5f02929590b93d360a48516 |
memory/4948-62-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-61-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-60-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-59-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-58-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-56-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-55-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-54-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-52-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-51-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-49-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-48-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-47-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-46-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-45-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-43-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-42-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-41-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-40-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-39-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-38-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-37-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-36-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-35-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-33-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-32-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-31-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-30-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-29-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-28-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-26-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-24-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-23-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-68-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-66-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-65-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-22-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-57-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-21-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-53-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-20-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-50-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-19-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-44-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-18-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-34-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-17-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-27-0x0000000002B00000-0x0000000002BB6000-memory.dmp
memory/4948-165-0x0000000002B00000-0x0000000002BB6000-memory.dmp