Analysis Overview
SHA256
25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928
Threat Level: Known bad
The file 25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 20:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 20:38
Reported
2024-11-04 20:41
Platform
win7-20241010-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3ba3a0ea = "ÃY¬ª‚~§lé`”‰\x1bS£J_VÅwë½\x05\v„¥|m•Ë" | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3ba3a0ea = "ÃY¬ª‚~§lé`”‰\x1bS£J_VÅwë½\x05\v„¥|m•Ë" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
| PID 1820 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
| PID 1820 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
| PID 1820 wrote to memory of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe
"C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
Files
memory/1820-0-0x0000000000220000-0x0000000000271000-memory.dmp
memory/1820-1-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 26ecb82e04b774a1bbbfbdd65608a51d |
| SHA1 | 952208d57509f9857dc0ce92708099bc64adc069 |
| SHA256 | 3b997414630e0a6684cdc1704c3cc504883b1f9798494f607b0bded59806b536 |
| SHA512 | e2a523ecea7a54c42ec06c267d91e3fb8830fdf610f350b907775e4f0170671790a83ec6ff88c76b9bb83757b33f63a0e289eadbe38790a211f5effafd577955 |
memory/1820-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2260-18-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/1820-16-0x0000000000220000-0x0000000000271000-memory.dmp
memory/1820-15-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2260-19-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2260-20-0x00000000023D0000-0x0000000002478000-memory.dmp
memory/2260-26-0x00000000023D0000-0x0000000002478000-memory.dmp
memory/2260-30-0x00000000023D0000-0x0000000002478000-memory.dmp
memory/2260-28-0x00000000023D0000-0x0000000002478000-memory.dmp
memory/2260-31-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/2260-24-0x00000000023D0000-0x0000000002478000-memory.dmp
memory/2260-22-0x00000000023D0000-0x0000000002478000-memory.dmp
memory/2260-32-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-36-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-34-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-38-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-39-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-58-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-84-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-83-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-82-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-80-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-79-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-78-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-77-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-76-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-75-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-74-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-73-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-72-0x0000000002580000-0x0000000002636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DF9B.tmp
| MD5 | 61a60a5fcd95bf13ad2f9dd2239effc5 |
| SHA1 | 5c25271bf17ead7c898ce9e89d83d4b8fc46af74 |
| SHA256 | 01f7db2098b409aa22e457464c7b37237ccf9aab2c74049c7df6ccfa905e8fcf |
| SHA512 | 527e6f7c9714bbe76f32c5db943a3bce44e92ed815cced41184715ed1d34130849f13aff8fadfca3ddf4d2a546549413375d92d39105911d24e633366895cf76 |
memory/2260-71-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-70-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-69-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-67-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-66-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-65-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-64-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-63-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-62-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-61-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-59-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-57-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-56-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-55-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-54-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-53-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-52-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-51-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-49-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-48-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-47-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-46-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-45-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-44-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-81-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-43-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-41-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-40-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-68-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-60-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-50-0x0000000002580000-0x0000000002636000-memory.dmp
memory/2260-42-0x0000000002580000-0x0000000002636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DFDD.tmp
| MD5 | 7a1817cffdfa0cf15c59d0b6aa6fd58d |
| SHA1 | e4f1eed6565d45041d5ee5ca7c689754c4f2f2a5 |
| SHA256 | 35d851371d9770f8beea952357b755de94d0b321d30fe3f3ccb2920e7cc467f1 |
| SHA512 | 5527691977ed11df610029bb3d29cea1048e098e39cbf03e7d7985963db61daf3036166e10ecf7a6244f86b7bc0eb32f4978b1b2dd34d9d6d0f0ad3a34fecf22 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 20:38
Reported
2024-11-04 20:41
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\53e2d88a = "ù\x18‰™\x18‡š°eq¤\x1f\u008dÞY®¡¾>’ò\x1b̪Ù~êÐ\b\x05\x1c>\">2Zõ\u008daïm\x10þ-ÙÝn©Ž5öNΆ¨Þæøv\x1dŸpF\x16.È‚îï]9_&½ ÷Y\u009d\r½\"ž@–NF¥Ÿ\x15µ—eñ!ý\x0fÆ*Ê}\x1dF\x15ŸrØ5p–þÎÆf\x16}\x05\x01I7\tX\r×¶FÆÈªb`îî¾oƘMíí\x1eÕ:\x0eO\u009dð–\b\x01\x7f\x19)ÖhHýÑ" | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\53e2d88a = "ù\x18‰™\x18‡š°eq¤\x1f\u008dÞY®¡¾>’ò\x1b̪Ù~êÐ\b\x05\x1c>\">2Zõ\u008daïm\x10þ-ÙÝn©Ž5öNΆ¨Þæøv\x1dŸpF\x16.È‚îï]9_&½ ÷Y\u009d\r½\"ž@–NF¥Ÿ\x15µ—eñ!ý\x0fÆ*Ê}\x1dF\x15ŸrØ5p–þÎÆf\x16}\x05\x01I7\tX\r×¶FÆÈªb`îî¾oƘMíí\x1eÕ:\x0eO\u009dð–\b\x01\x7f\x19)ÖhHýÑ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5040 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
| PID 5040 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
| PID 5040 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe
"C:\Users\Admin\AppData\Local\Temp\25965397b94cf0beaea0eaa34e301e96d37f3433795a06400ab8545bdae1f928.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 2.18.27.76:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.27.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.203.162.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
Files
memory/5040-0-0x00000000022F0000-0x0000000002341000-memory.dmp
memory/5040-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 88c8b6dfdd70aca88fb15bb498dfaf46 |
| SHA1 | fb3c89f581b088a924bba784a34f20f0d030c6fa |
| SHA256 | 75d6e1374ec1e39bc77c077d116f0da1b04a9879870c1c15addee4250e0cadbc |
| SHA512 | f2b080e41d54b51ab11b81d3e4f1619c292d9f971a5abbb9e719d51a8ffc7742b57ab53ec1242f436c1e0535627dbc54c9671bfc21f405c33f747233389ce24b |
memory/5040-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/5040-12-0x00000000022F0000-0x0000000002341000-memory.dmp
memory/1648-14-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/5040-11-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/1648-15-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/1648-16-0x00000000028D0000-0x0000000002978000-memory.dmp
memory/1648-17-0x0000000000400000-0x00000000005AE000-memory.dmp
memory/1648-18-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-79-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B27D.tmp
| MD5 | 3c8ea4a696233860d431052faf23c703 |
| SHA1 | f02e302e94189aae0d567874f8bb321cf5a6c1ff |
| SHA256 | d42b7604052e639435fea83a8cafdf5f9c771a096c39a74401d61512b85e212e |
| SHA512 | 2e774a029ce3336cc9ff9833e1a1e6d87bc9a34c073ae8be630e6f1f409237d6a0420d7f6bbd49a4152972710ab93c97bed4acf7b7145b25921aa4f309ab97d0 |
memory/1648-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/1648-23-0x0000000002D00000-0x0000000002DB6000-memory.dmp