Analysis Overview
SHA256
606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0e
Threat Level: Known bad
The file 606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN was found to be: Known bad.
Malicious Activity Summary
simda
Modifies WinLogon for persistence
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 16:42
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 16:42
Reported
2024-09-19 16:44
Platform
win10v2004-20240802-en
Max time kernel
111s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\333127e = "CŠáKZæŒd1¸?”;ê{®f¿×xêV\x05*˜œ]RÉ£N‹äeîájäÂÙ¦ZúÚ°ÙöXõFB\x1c6q-9Í\x18\x0e¿½¬f|\x13?qÝõþ=¯þÛÒ\x16¹ú\x04öÙî&uŒ9\x01Ûõ½/s\x13t޽¯éÛþÛÀs\fË\x01+Î9rÛü\x15ƒ½„‚YõŒM]ѯþÙ¢éÿƒ¬\x19¹ÜÿÉn§Ý\x1cÛ-¶G\x13fo©\x18\x17çàUáÀƒaš‘\x05\nq\x01îto9šƒñ-\x17š.qÀ$r\x17Åøƒ\x18q\x0e¥2Ͱú-3ïš\u00a0-ƒ[hÙ|½îÍjš6àKTPq™\u0081°)Ûž&Òƒõ|ŨQˆ\aˆœ°ÍCÜšJ\x05þAŒénm¥ü.q\n…CËŽ‘¦P„\x19Ûš" | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\333127e = "CŠáKZæŒd1¸?”;ê{®f¿×xêV\x05*˜œ]RÉ£N‹äeîájäÂÙ¦ZúÚ°ÙöXõFB\x1c6q-9Í\x18\x0e¿½¬f|\x13?qÝõþ=¯þÛÒ\x16¹ú\x04öÙî&uŒ9\x01Ûõ½/s\x13t޽¯éÛþÛÀs\fË\x01+Î9rÛü\x15ƒ½„‚YõŒM]ѯþÙ¢éÿƒ¬\x19¹ÜÿÉn§Ý\x1cÛ-¶G\x13fo©\x18\x17çàUáÀƒaš‘\x05\nq\x01îto9šƒñ-\x17š.qÀ$r\x17Åøƒ\x18q\x0e¥2Ͱú-3ïš\u00a0-ƒ[hÙ|½îÍjš6àKTPq™\u0081°)Ûž&Òƒõ|ŨQˆ\aˆœ°ÍCÜšJ\x05þAŒénm¥ü.q\n…CËŽ‘¦P„\x19Ûš" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4108 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 4108 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 4108 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe
"C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| GB | 88.221.135.25:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | 25.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 69.162.80.56:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 69.162.80.56:80 | lysyfyj.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
Files
memory/4108-0-0x0000000000400000-0x0000000000589000-memory.dmp
memory/4108-1-0x0000000002350000-0x00000000023A1000-memory.dmp
memory/4108-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 0fa639eda1f3343da06c0a2eb5550d58 |
| SHA1 | 526dc5ec8b309aecc183bd1bec39c1fa4acc0439 |
| SHA256 | 63deeb6c512af6464f7ba302c9aa1078c104d5595cd0e5c464ae9d7ccd153116 |
| SHA512 | 67efdb680582cba46cd02fcc542cd027482cdabdc5f1fe1aa541ab2138384d5d43084add94bc9a609abcd6c04b196d34e4e63cf546f7241028b6fceca30ec864 |
memory/4108-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3180-13-0x0000000000400000-0x0000000000589000-memory.dmp
memory/4108-14-0x0000000002350000-0x00000000023A1000-memory.dmp
memory/4108-12-0x0000000000400000-0x0000000000589000-memory.dmp
memory/3180-16-0x0000000000400000-0x0000000000589000-memory.dmp
memory/3180-17-0x0000000000400000-0x0000000000589000-memory.dmp
memory/3180-18-0x00000000028A0000-0x0000000002948000-memory.dmp
memory/3180-19-0x0000000000400000-0x0000000000589000-memory.dmp
memory/3180-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/3180-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9799.tmp
| MD5 | 218191c29578d37a50c0c766ab5b57e3 |
| SHA1 | 8333e7d0ff5371f96454645533d12cd2a24dfe63 |
| SHA256 | c3b5bb0200cfd8dfb9d38d5b4fdd659853a60ae38b26cc1ab70188ff8df360b9 |
| SHA512 | ceae42abbe879176c5c72eb8f0e49ec6ee243299f930ab436720af00a6f2a58f5b101c55decff805996d9daa613aa569114bebecc3c48182877f3493f5ab4519 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 16:42
Reported
2024-09-19 16:44
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9ac1407d = "›cœvÈ\x16n\x06FR&Àù\tÊ0<¹s±²´³xmêe¾„rÄÙáÈyq\x15¸Ð\u00a0\u0081\bí2aéðXqpU\u00a0¥ññ@Y" | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9ac1407d = "›cœvÈ\x16n\x06FR&Àù\tÊ0<¹s±²´³xmêe¾„rÄÙáÈyq\x15¸Ð\u00a0\u0081\bí2aéðXqpU\u00a0¥ññ@Y" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2204 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2204 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2204 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe
"C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.177:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 69.162.80.51:80 | lysyfyj.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 69.162.80.51:80 | lysyfyj.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 92.123.143.227:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
Files
memory/2204-1-0x0000000000590000-0x00000000005E1000-memory.dmp
memory/2204-0-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2204-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\AppPatch\svchost.exe
| MD5 | 487605a14a14ec02a8d1d94d92275438 |
| SHA1 | f1045d2b6ab3ff790e2fdccaf5b951f4ffe5cca7 |
| SHA256 | f61c6b3357cd14c60e47464597a0e2f56f1cd064afb7c655cce9dbe2d0048fda |
| SHA512 | 05661e3fb608a7b93b1c0d22e4f880ff234e213eb8c9e0ab822837082e0089bea49192e18ae5386b9663b8f1b05334b9bd75707514446cd02344a11498d50351 |
memory/2364-19-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2364-20-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2204-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2204-16-0x0000000000590000-0x00000000005E1000-memory.dmp
memory/2204-15-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2364-21-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2364-26-0x0000000002410000-0x00000000024B8000-memory.dmp
memory/2364-32-0x0000000002410000-0x00000000024B8000-memory.dmp
memory/2364-30-0x0000000002410000-0x00000000024B8000-memory.dmp
memory/2364-33-0x0000000000400000-0x0000000000589000-memory.dmp
memory/2364-28-0x0000000002410000-0x00000000024B8000-memory.dmp
memory/2364-24-0x0000000002410000-0x00000000024B8000-memory.dmp
memory/2364-22-0x0000000002410000-0x00000000024B8000-memory.dmp
memory/2364-34-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-38-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-36-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-45-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-48-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-84-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-83-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-82-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-81-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-79-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-78-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-77-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-76-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-75-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-74-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-73-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-72-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-71-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-70-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-69-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-68-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-67-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-66-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-65-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-64-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-63-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-62-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-61-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-60-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-59-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-58-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-56-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-55-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-54-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-53-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-52-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-51-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-50-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-49-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-47-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-46-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-80-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-44-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-43-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-57-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-41-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-42-0x00000000025C0000-0x0000000002676000-memory.dmp
memory/2364-40-0x00000000025C0000-0x0000000002676000-memory.dmp