Malware Analysis Report

2025-06-16 00:30

Sample ID 240919-rhfwgasdrb
Target 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN
SHA256 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706f
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706f

Threat Level: Known bad

The file 25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Simda family

Modifies WinLogon for persistence

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 14:11

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 14:11

Reported

2024-09-19 14:13

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\87b562d9 = "ó\nTa3FsaõÝv\tvè`)ž3øB|Tqú" C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\87b562d9 = "ó\nTa3FsaõÝv\tvè`)ž3øB|Tqú" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 88.221.135.11:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 18.208.156.248:80 vonypom.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 69.162.80.61:80 lysyfyj.com tcp
US 172.234.222.143:80 vojyqem.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 104.21.30.183:443 qegyhig.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lyrysor.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:80 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 9c17dbca491af6b2559574b3cdff0c79
SHA1 853045c615cb9117903435af771bc3f279e37a2e
SHA256 a09c23421124a79138b3d1b6a4a2b2e516fd46e472d0e56a66ca400ccca4496a
SHA512 12715fc5c3b403a058ea970ca76516599d97bde425f24505b45784224dfa238d63f4e3f295d5b096a765b041d1a357b5ae48a8758e1be1c8882e978fe2b768de

memory/2092-12-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2960-16-0x00000000021D0000-0x0000000002278000-memory.dmp

memory/2960-24-0x00000000021D0000-0x0000000002278000-memory.dmp

memory/2960-22-0x00000000021D0000-0x0000000002278000-memory.dmp

memory/2960-20-0x00000000021D0000-0x0000000002278000-memory.dmp

memory/2960-18-0x00000000021D0000-0x0000000002278000-memory.dmp

memory/2960-14-0x00000000021D0000-0x0000000002278000-memory.dmp

memory/2960-25-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-29-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-27-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-36-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-35-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-72-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-77-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-76-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-75-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-73-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-71-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-70-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-69-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-68-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-67-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-66-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-65-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-64-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-62-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-61-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-60-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-59-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-58-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-57-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-56-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-55-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-54-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-52-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-51-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-50-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-49-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-48-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-47-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-46-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-45-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-44-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-42-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-41-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-40-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-39-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-38-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-37-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-74-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-63-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-34-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-53-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-33-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-32-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-43-0x0000000002380000-0x0000000002436000-memory.dmp

memory/2960-31-0x0000000002380000-0x0000000002436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A465.tmp

MD5 9560ff959c6cab1d28b80541e24e4d39
SHA1 1f27afb2868023f678465efe00e8897a09c357cd
SHA256 f604f5363f6a345a1a0360e00e4cbb8f531cb7f81d569f956637d58ede403503
SHA512 685de6f66a4457c4c21765832e6e4d441a67d31ab42cf9cff042ab7c46737a2af3e7cd08d3fed732655bd272b07283ab2f4125f165d03b71d9ccc08cbc0dd84e

memory/2960-195-0x0000000002380000-0x0000000002436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 14:11

Reported

2024-09-19 14:13

Platform

win10v2004-20240802-en

Max time kernel

106s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2708817d = "\x10޽ÄRòuMùéßpB|¼MFÁdퟢ×Á%‚…½QÛ†ŒcŒC>Bdü<Ò\x04\\œª,æ¼S2“\x16£û©¼òÄÜÙìâT\x1aâ\fD†º¬\x04|!\x04„cBRtJsœä2¬sÓÄ\x12lz|âö,ŒÌtÄë|<«A4™Ù\x1c‹I2;\x19Óbc™\x11ÌÒ¼Z\x02ò‚J\x16Ô+1|º\x11»òj¤£,œù)\fÄ‘é¬4ƒ;Á\n<›3SáÑéq:lTb\x142ª<:¢R\nšËSŒL¢Œ\\ë„,|ä3^$lºéòÆ3ü9äì\x1a\x14£*tƒ\fãüê\";\x03$¢‹³\x1a³ôSÆ2ë>ú“ãNÆ2!D&R´œûìj‘q*©:»jD$\x16c\v|Iú¢\x1b£ª³û:" C:\Windows\apppatch\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2708817d = "\x10޽ÄRòuMùéßpB|¼MFÁdퟢ×Á%‚…½QÛ†ŒcŒC>Bdü<Ò\x04\\œª,æ¼S2“\x16£û©¼òÄÜÙìâT\x1aâ\fD†º¬\x04|!\x04„cBRtJsœä2¬sÓÄ\x12lz|âö,ŒÌtÄë|<«A4™Ù\x1c‹I2;\x19Óbc™\x11ÌÒ¼Z\x02ò‚J\x16Ô+1|º\x11»òj¤£,œù)\fÄ‘é¬4ƒ;Á\n<›3SáÑéq:lTb\x142ª<:¢R\nšËSŒL¢Œ\\ë„,|ä3^$lºéòÆ3ü9äì\x1a\x14£*tƒ\fãüê\";\x03$¢‹³\x1a³ôSÆ2ë>ú“ãNÆ2!D&R´œûìj‘q*©:»jD$\x16c\v|Iú¢\x1b£ª³û:" C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe

"C:\Users\Admin\AppData\Local\Temp\25208ab0683672a9d4c63e3a8ae3def66131fe7b6f560d9d5db0904ba6a8706fN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 23.192.237.204:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gahyqah.com udp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qegyhig.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 204.237.192.23.in-addr.arpa udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 60.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 qetyfuv.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 gadyniw.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 178.162.203.226:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupydeq.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lysyvan.com udp
US 104.21.26.151:80 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 151.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp

Files

C:\Windows\apppatch\svchost.exe

MD5 7ef22343e7367928bffd70710fc01267
SHA1 07bff131efdfae32a09cc89786e9e03fbcb50016
SHA256 66648148e023069bfc5da3f35656dc146afb1c3f478e7c915d8254381c94a1eb
SHA512 625cec9538801bf3e09b57b39a6a9e900d3de7788a6ec82721977d08bd6d1ab7f9935fdfc7b791e360e5f92617fa9abe3920bb577a218a7b735ada39eb57d132

memory/3612-9-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4948-10-0x0000000002710000-0x00000000027B8000-memory.dmp

memory/4948-13-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-14-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-16-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-25-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-73-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-72-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-71-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-70-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-69-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-67-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-64-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-63-0x0000000002B00000-0x0000000002BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8835.tmp

MD5 d6b7ebe5c5691ff3b236859f13a209cf
SHA1 0e00c58ac7ed908f5f60c59f6d7d1d19d70f89d8
SHA256 2a6bc34b8f84b3fe6b0251f184386cefbbaec71e56a970a19b7cdf2bf9ec0819
SHA512 e03a71299e1626dff849e2ab6379ded29ba5255e713be909ad264e6b55dc61364c917d93f52cdf23cb7c8775a0bae6711702cb3ee5f02929590b93d360a48516

memory/4948-62-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-61-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-60-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-59-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-58-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-56-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-55-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-54-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-52-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-51-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-49-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-48-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-47-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-46-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-45-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-43-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-42-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-41-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-40-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-39-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-38-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-37-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-36-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-35-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-33-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-32-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-31-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-30-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-29-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-28-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-26-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-24-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-23-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-68-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-66-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-65-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-22-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-57-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-21-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-53-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-20-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-50-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-19-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-44-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-18-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-34-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-17-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-27-0x0000000002B00000-0x0000000002BB6000-memory.dmp

memory/4948-165-0x0000000002B00000-0x0000000002BB6000-memory.dmp