Malware Analysis Report

2025-06-16 00:30

Sample ID 240919-t741pszbkm
Target 606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN
SHA256 606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0e
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0e

Threat Level: Known bad

The file 606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Modifies WinLogon for persistence

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 16:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 16:42

Reported

2024-09-19 16:44

Platform

win10v2004-20240802-en

Max time kernel

111s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\333127e = "CŠáKZæŒd1¸?”;ê{®f¿×xêV\x05*˜œ]RÉ£N‹äeîájäÂÙ¦ZúÚ°ÙöXõFB\x1c6q-9Í\x18\x0e¿½¬f|\x13?qÝõþ=¯þÛÒ\x16¹ú\x04öÙî&uŒ9\x01Ûõ½/s\x13t޽¯éÛþÛÀs\fË\x01+Î9rÛü\x15ƒ½„‚YõŒM]ѯþÙ¢éÿƒ¬\x19¹ÜÿÉn§Ý\x1cÛ-¶G\x13fo©\x18\x17çàUáÀƒaš‘\x05\nq\x01îto9šƒñ-\x17š.qÀ$r\x17Åøƒ\x18q\x0e¥2Ͱú-3ïš\u00a0-ƒ[hÙ|½îÍjš6àKTPq™\u0081°)Ûž&Òƒõ|ŨQˆ\aˆœ°ÍCÜšJ\x05þAŒénm¥ü.q\n…CËŽ‘¦P„\x19Ûš" C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\333127e = "CŠáKZæŒd1¸?”;ê{®f¿×xêV\x05*˜œ]RÉ£N‹äeîájäÂÙ¦ZúÚ°ÙöXõFB\x1c6q-9Í\x18\x0e¿½¬f|\x13?qÝõþ=¯þÛÒ\x16¹ú\x04öÙî&uŒ9\x01Ûõ½/s\x13t޽¯éÛþÛÀs\fË\x01+Î9rÛü\x15ƒ½„‚YõŒM]ѯþÙ¢éÿƒ¬\x19¹ÜÿÉn§Ý\x1cÛ-¶G\x13fo©\x18\x17çàUáÀƒaš‘\x05\nq\x01îto9šƒñ-\x17š.qÀ$r\x17Åøƒ\x18q\x0e¥2Ͱú-3ïš\u00a0-ƒ[hÙ|½îÍjš6àKTPq™\u0081°)Ûž&Òƒõ|ŨQˆ\aˆœ°ÍCÜšJ\x05þAŒénm¥ü.q\n…CËŽ‘¦P„\x19Ûš" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe

"C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
GB 88.221.135.25:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 25.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 69.162.80.56:80 lysyfyj.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lymyxid.com udp
US 104.21.30.183:80 qegyhig.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.143:80 vojyqem.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 69.162.80.56:80 lysyfyj.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 56.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lysyvan.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
CN 103.150.10.58:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp

Files

memory/4108-0-0x0000000000400000-0x0000000000589000-memory.dmp

memory/4108-1-0x0000000002350000-0x00000000023A1000-memory.dmp

memory/4108-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 0fa639eda1f3343da06c0a2eb5550d58
SHA1 526dc5ec8b309aecc183bd1bec39c1fa4acc0439
SHA256 63deeb6c512af6464f7ba302c9aa1078c104d5595cd0e5c464ae9d7ccd153116
SHA512 67efdb680582cba46cd02fcc542cd027482cdabdc5f1fe1aa541ab2138384d5d43084add94bc9a609abcd6c04b196d34e4e63cf546f7241028b6fceca30ec864

memory/4108-15-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3180-13-0x0000000000400000-0x0000000000589000-memory.dmp

memory/4108-14-0x0000000002350000-0x00000000023A1000-memory.dmp

memory/4108-12-0x0000000000400000-0x0000000000589000-memory.dmp

memory/3180-16-0x0000000000400000-0x0000000000589000-memory.dmp

memory/3180-17-0x0000000000400000-0x0000000000589000-memory.dmp

memory/3180-18-0x00000000028A0000-0x0000000002948000-memory.dmp

memory/3180-19-0x0000000000400000-0x0000000000589000-memory.dmp

memory/3180-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/3180-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9799.tmp

MD5 218191c29578d37a50c0c766ab5b57e3
SHA1 8333e7d0ff5371f96454645533d12cd2a24dfe63
SHA256 c3b5bb0200cfd8dfb9d38d5b4fdd659853a60ae38b26cc1ab70188ff8df360b9
SHA512 ceae42abbe879176c5c72eb8f0e49ec6ee243299f930ab436720af00a6f2a58f5b101c55decff805996d9daa613aa569114bebecc3c48182877f3493f5ab4519

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 16:42

Reported

2024-09-19 16:44

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9ac1407d = "›cœvÈ\x16n\x06FR&Àù\tÊ0<¹s±²´³xmêe¾„rÄÙáÈyq\x15¸Ð\u00a0\u0081\bí2aéðXqpU\u00a0¥ññ@Y" C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\9ac1407d = "›cœvÈ\x16n\x06FR&Àù\tÊ0<¹s±²´³xmêe¾„rÄÙáÈyq\x15¸Ð\u00a0\u0081\bí2aéðXqpU\u00a0¥ññ@Y" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe

"C:\Users\Admin\AppData\Local\Temp\606e0cc3125a445360f1be97b5591f0b2360f7fd48f5373ce334e83553a49d0eN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 95.101.143.177:80 www.bing.com tcp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 puzylyp.com udp
DE 178.162.203.226:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 69.162.80.51:80 lysyfyj.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 69.162.80.51:80 lysyfyj.com tcp
US 172.234.222.143:80 vojyqem.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
NL 5.79.71.225:80 gatyfus.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.143.227:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 5.79.71.225:80 gatyfus.com tcp
GB 95.100.245.144:80 www.microsoft.com tcp
US 99.83.138.213:80 puzylyp.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lysyvan.com udp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 13.248.169.48:80 pupydeq.com tcp

Files

memory/2204-1-0x0000000000590000-0x00000000005E1000-memory.dmp

memory/2204-0-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2204-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\AppPatch\svchost.exe

MD5 487605a14a14ec02a8d1d94d92275438
SHA1 f1045d2b6ab3ff790e2fdccaf5b951f4ffe5cca7
SHA256 f61c6b3357cd14c60e47464597a0e2f56f1cd064afb7c655cce9dbe2d0048fda
SHA512 05661e3fb608a7b93b1c0d22e4f880ff234e213eb8c9e0ab822837082e0089bea49192e18ae5386b9663b8f1b05334b9bd75707514446cd02344a11498d50351

memory/2364-19-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2364-20-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2204-17-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2204-16-0x0000000000590000-0x00000000005E1000-memory.dmp

memory/2204-15-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2364-21-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2364-26-0x0000000002410000-0x00000000024B8000-memory.dmp

memory/2364-32-0x0000000002410000-0x00000000024B8000-memory.dmp

memory/2364-30-0x0000000002410000-0x00000000024B8000-memory.dmp

memory/2364-33-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2364-28-0x0000000002410000-0x00000000024B8000-memory.dmp

memory/2364-24-0x0000000002410000-0x00000000024B8000-memory.dmp

memory/2364-22-0x0000000002410000-0x00000000024B8000-memory.dmp

memory/2364-34-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-38-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-36-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-45-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-48-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-84-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-83-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-82-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-81-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-79-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-78-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-77-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-76-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-75-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-74-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-73-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-72-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-71-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-70-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-69-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-68-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-67-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-66-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-65-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-64-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-63-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-62-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-61-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-60-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-59-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-58-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-56-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-55-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-54-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-53-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-52-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-51-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-50-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-49-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-47-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-46-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-80-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-44-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-43-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-57-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-41-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-42-0x00000000025C0000-0x0000000002676000-memory.dmp

memory/2364-40-0x00000000025C0000-0x0000000002676000-memory.dmp