Analysis Overview
SHA256
5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bd
Threat Level: Known bad
The file 5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-02 21:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-02 21:06
Reported
2024-11-02 21:09
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\75603201 = "H™²|*\x19+™S\x17â‚V/ï\u008døMo\"u\"´ï¡@r•‹ož\x13\x04¶LFþôLÖ„\v\x166\x14o3¦ËËÌÎV¿ËŽ”¤Lï†\x1esîOf£\\îÏsäTûŒÞ\x7f6Ï«–†wîŸþ'L§\x16ÎO#Ü~Cw\x1fîK·ÛÏ»[×o“ôó_Fì\aŽ\x06FV‹~\x16ìO.W«ÿW´V£,f\x0eï¯û'‡4\u008f/ÏþfkÞŽ/—«§\x17×\x1b?¿gÏŸ\x16\x06\x0e.«/‹þ,ì¯s×®gï\x17OlWgóO‡\x17¼\x13œc\x14_,LëOŽ>\f\x1cÜGWW'¦÷¤Ï\x044ǯ¿s—´4¯Vo«þ·ßÏn67‡nÿgW®?\x16G\\\a¿Û—\x17ôÿ?Î~Û—k×”O\x0fdÿ¼Öv" | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\75603201 = "H™²|*\x19+™S\x17â‚V/ï\u008døMo\"u\"´ï¡@r•‹ož\x13\x04¶LFþôLÖ„\v\x166\x14o3¦ËËÌÎV¿ËŽ”¤Lï†\x1esîOf£\\îÏsäTûŒÞ\x7f6Ï«–†wîŸþ'L§\x16ÎO#Ü~Cw\x1fîK·ÛÏ»[×o“ôó_Fì\aŽ\x06FV‹~\x16ìO.W«ÿW´V£,f\x0eï¯û'‡4\u008f/ÏþfkÞŽ/—«§\x17×\x1b?¿gÏŸ\x16\x06\x0e.«/‹þ,ì¯s×®gï\x17OlWgóO‡\x17¼\x13œc\x14_,LëOŽ>\f\x1cÜGWW'¦÷¤Ï\x044ǯ¿s—´4¯Vo«þ·ßÏn67‡nÿgW®?\x16G\\\a¿Û—\x17ôÿ?Î~Û—k×”O\x0fdÿ¼Öv" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 964 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | C:\Windows\apppatch\svchost.exe |
| PID 964 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | C:\Windows\apppatch\svchost.exe |
| PID 964 wrote to memory of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe
"C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.144.22.2.in-addr.arpa | udp |
| US | 95.100.195.156:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 75.2.71.199:443 | puzylyp.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.71.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww8.galyqaz.com | udp |
| US | 45.56.79.23:80 | ww8.galyqaz.com | tcp |
| US | 8.8.8.8:53 | 23.79.56.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/964-0-0x0000000000500000-0x0000000000503000-memory.dmp
memory/964-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 1cd4d6cdd0533e3114a314eb0546a021 |
| SHA1 | caebbd528a88a69124bacacb27f83dd428bad0ae |
| SHA256 | 3930369c4f98e75e505f7f9b91b8ab395b64670c01a6a5c7b58bf55ed89773e6 |
| SHA512 | b8dfa259e3639a87fbb247df6a4fed4478e6c2dfc720b7860a29db01edff14b758c7c090ba1b44c17de2dbc5d68eba7223d9f942f3cc36c5fecf668a156c594f |
memory/964-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/964-12-0x0000000000500000-0x0000000000503000-memory.dmp
memory/964-11-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1632-14-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1632-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1632-16-0x0000000002A00000-0x0000000002AA8000-memory.dmp
memory/1632-17-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1632-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-76-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-79-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-78-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-77-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-75-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B269.tmp
| MD5 | 025dda0b936a11096b968235b4ddd2da |
| SHA1 | 682336fc585cc9273bfaed5c3cc454babb7b5f52 |
| SHA256 | 34dcc05aff2350b33bc97ca88dfcfb6b600f46a38a68aaedbc313d3d661cb3f4 |
| SHA512 | 7d576b4bbdd7968a665ea71754bd3f30ec2f80a2506f4bbd5a94ab4b0835146f45e5c5f53f2e1fa9a9eeaa689715fe96b155d5f3edba1681e7d1b389d2e05ce3 |
memory/1632-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/1632-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 21:06
Reported
2024-11-02 21:08
Platform
win7-20241023-en
Max time kernel
113s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\54a5456 = "@KX¬\x17Á†n+ÃûL\nÔ}ÓiÞ-`CàX\u0081¦ìÞcÅ&q&Õ°¶[éõéÛMô)wçƒ?\x06U$àç;L~6D”õ0îÞeÙ7ß\x01Íß\x01‡F0éPÂ\\ææz\u0081F\x18½@¤š-\x14\u00a0tOé¯bü\x1f\x1f\u00a0ÙYºc)\r\x04aéaŽlûƒÖWñ˜\x01ʇ½¯§\x04\x142/ªƒÒé&tÍ~\x04\x05[Œ\x1aW-)s´Æ´Šzéõî\x7fÍš\x13Wq¤àÕgÍžñY\x05\x01lé?)é“ \n?D0‘\"\x06;¶É¤\x01 ͺ-@Ê\x10‘5@L\x01\x1f¨\x1fÍû\x04@ŸˆKÍÊàWR&¶hë \x10éhÙ\r£Oa\n\x14¤eéšÍF@\x1d\x01-Ùþeƒ¯ÏßÜUküõƒ\x1f6-‘¤" | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\54a5456 = "@KX¬\x17Á†n+ÃûL\nÔ}ÓiÞ-`CàX\u0081¦ìÞcÅ&q&Õ°¶[éõéÛMô)wçƒ?\x06U$àç;L~6D”õ0îÞeÙ7ß\x01Íß\x01‡F0éPÂ\\ææz\u0081F\x18½@¤š-\x14\u00a0tOé¯bü\x1f\x1f\u00a0ÙYºc)\r\x04aéaŽlûƒÖWñ˜\x01ʇ½¯§\x04\x142/ªƒÒé&tÍ~\x04\x05[Œ\x1aW-)s´Æ´Šzéõî\x7fÍš\x13Wq¤àÕgÍžñY\x05\x01lé?)é“ \n?D0‘\"\x06;¶É¤\x01 ͺ-@Ê\x10‘5@L\x01\x1f¨\x1fÍû\x04@ŸˆKÍÊàWR&¶hë \x10éhÙ\r£Oa\n\x14¤eéšÍF@\x1d\x01-Ùþeƒ¯ÏßÜUküõƒ\x1f6-‘¤" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe
"C:\Users\Admin\AppData\Local\Temp\5362d2ac0f50e9aaa3ade132b586df10f98b8580b9508dee8a47de392bde66bdN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.159:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 218.92.0.241:80 | lyrysor.com | tcp |
Files
memory/2404-0-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2404-1-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 0af2fcf8d57d24b7960fedda0f2cfd83 |
| SHA1 | 1e9902060c10eba458ac1a0d7cdfaf9c0b548773 |
| SHA256 | 7bed49872dfe5a9bf14709709b7e829ae4163af45bd9a7c6cf65115f72213a74 |
| SHA512 | 9abb05a14a82d4fc27c56a993493cf896113e10e710234aa394f4093c6fdf608b0fa43f3ac7cad63031cc4ec5f6f32bbbc0c87662f5a0f5bdd1e15306e282065 |
memory/2404-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2404-12-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2404-11-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1472-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1472-16-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1472-17-0x0000000002280000-0x0000000002328000-memory.dmp
memory/1472-27-0x0000000002280000-0x0000000002328000-memory.dmp
memory/1472-25-0x0000000002280000-0x0000000002328000-memory.dmp
memory/1472-23-0x0000000002280000-0x0000000002328000-memory.dmp
memory/1472-21-0x0000000002280000-0x0000000002328000-memory.dmp
memory/1472-19-0x0000000002280000-0x0000000002328000-memory.dmp
memory/1472-28-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1472-31-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-33-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-29-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-37-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-35-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-39-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-41-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-42-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-48-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-50-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-36-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-38-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-61-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-72-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-40-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-80-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-81-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-79-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-78-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-77-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-76-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-75-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-74-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-73-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-71-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-70-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-69-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-68-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-67-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-66-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-65-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-64-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-63-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-62-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-60-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-59-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-58-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-57-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-56-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-55-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-54-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-53-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-52-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-51-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-49-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-47-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-46-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-45-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-44-0x0000000002430000-0x00000000024E6000-memory.dmp
memory/1472-43-0x0000000002430000-0x00000000024E6000-memory.dmp