Malware Analysis Report

2024-12-07 15:07

Sample ID 241105-2f53pa1bkk
Target a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N
SHA256 a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77

Threat Level: Known bad

The file a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Simda family

Modifies WinLogon for persistence

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 22:32

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 22:32

Reported

2024-11-05 22:34

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f42705ed = "v܉K÷3W+Y¿`²,\x13“gÚ÷¬W\x0f\"\u00ad8\x11k\"Å•.Ö“ˆÎ‹Ä|\x1be¨" C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f42705ed = "v܉K÷3W+Y¿`²,\x13“gÚ÷¬W\x0f\"\u00ad8\x11k\"Å•.Ö“ˆÎ‹Ä|\x1be¨" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe

"C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 92.123.128.143:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gadyniw.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 69.162.80.55:80 lysyfyj.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.212.227:80 c.pki.goog tcp
US 8.8.8.8:53 ww6.galyqaz.com udp
US 104.21.30.183:443 qegyhig.com tcp
US 199.59.243.227:80 ww6.galyqaz.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 lyrysor.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 104.155.138.21:80 lygynud.com tcp
US 104.21.26.151:80 lysyvan.com tcp
CN 103.150.10.48:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.48:80 lyrysor.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 be28837b91b0a978da1c514d5a8bcdba
SHA1 0f0a1945080f6f8c4c67e44f997bea0040e102df
SHA256 01be7116db4d447ae2fd0c951e2a0eaf17b1be47e29d4c906e46a8fb2f621990
SHA512 3d1db1d568b87fc4e1103e50901b5b84de3f67cb77a07a5df060a430fd198d2739f67e23b37a0ca67f2ddb6db57cf5644395ea766086e14e4a2bcf5169acf67f

memory/1968-12-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2080-24-0x00000000021B0000-0x0000000002258000-memory.dmp

memory/2080-22-0x00000000021B0000-0x0000000002258000-memory.dmp

memory/2080-20-0x00000000021B0000-0x0000000002258000-memory.dmp

memory/2080-18-0x00000000021B0000-0x0000000002258000-memory.dmp

memory/2080-16-0x00000000021B0000-0x0000000002258000-memory.dmp

memory/2080-14-0x00000000021B0000-0x0000000002258000-memory.dmp

memory/2080-26-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-28-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-30-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-49-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-57-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-78-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-77-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-76-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-75-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-74-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-73-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-72-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-71-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-70-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-69-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-68-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-67-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-66-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-65-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-64-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-63-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-62-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-61-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-60-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-59-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-58-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-56-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-55-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-54-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-53-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-52-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-51-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-50-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-48-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-47-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-46-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-45-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-44-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-43-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-42-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-41-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-40-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-39-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-38-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-37-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-36-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-35-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-34-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-32-0x00000000023A0000-0x0000000002456000-memory.dmp

memory/2080-33-0x00000000023A0000-0x0000000002456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F56.tmp

MD5 9fdcdb3907341c79a6418df710cbabe6
SHA1 9f44538ccf74af30d44d673bf67517a7963cf815
SHA256 8ee4d40598e455b7012ade473ebad7ed0b09c9e953b8b6c57294ccdf3cba4cad
SHA512 afe1a216f3fb44c687dabf3fa51863971d5acf612aaac13fe6128403e3f2eb477df0a91c57a7122f6657c7dce0c05c57acde0b3fa9ce52e24a1d50ce322c7c0d

C:\Users\Admin\AppData\Local\Temp\9EC3.tmp

MD5 9641f0823a9076c0a33a5081e42f187c
SHA1 f1f2634566b5a02ef8193f8544cc34ba6245c5a8
SHA256 947b027246bacae99e7985f38e93f9d7bad342dd21c4527547bb7ddf0936444c
SHA512 7a7d05388056ca53c85907d0a5fcd4bc2f2badd37ea79cfe98d4bc2559b09a05671859447655495a5375ed85fe3638bd2cec9ed6f6663ac3cdc1581eb15a23b3

memory/2080-197-0x00000000023A0000-0x0000000002456000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 22:32

Reported

2024-11-05 22:34

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dfd651cb = "\x1a<\v\x02ÄSí\x13»Ê*àV\x0eeMýå•É>«&ÔSÊ2HøÁPö=µnÌïE\x19×TÙ5t¬×¦\u008f¶¬F=ï%yܼ,eþ\fǦ\x1cÅ\u00ad•ÆÇ~\x17'Á-nå\u00ad´FôÝõ…ñžmEL,\u008d\aE´Å·¾É\f\u008dt\x1c~=1þí\x06M…\x1e¯¬f…Ž\\V%æ\x05Vå¿Ìtž.>¼í\x175}\\|NtÿUm´~9ôæ6é\rÁŒmDßô±DNMű6%uÕ\x01ù\x19\x1d\x01Õ}ž½‡Í„¦-_\x0fÔ~Õ„QYåÜ\a.\u008d-íßÞU\x1edŽÍ4\x1dÔa]Í„9=!=\u00adET&üGùüý®æü•\u008dw¤M?=]yÍæLåÔ)¦Õm\x14\\\x16]m\flΙM-^ütýE„Õå" C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\dfd651cb = "\x1a<\v\x02ÄSí\x13»Ê*àV\x0eeMýå•É>«&ÔSÊ2HøÁPö=µnÌïE\x19×TÙ5t¬×¦\u008f¶¬F=ï%yܼ,eþ\fǦ\x1cÅ\u00ad•ÆÇ~\x17'Á-nå\u00ad´FôÝõ…ñžmEL,\u008d\aE´Å·¾É\f\u008dt\x1c~=1þí\x06M…\x1e¯¬f…Ž\\V%æ\x05Vå¿Ìtž.>¼í\x175}\\|NtÿUm´~9ôæ6é\rÁŒmDßô±DNMű6%uÕ\x01ù\x19\x1d\x01Õ}ž½‡Í„¦-_\x0fÔ~Õ„QYåÜ\a.\u008d-íßÞU\x1edŽÍ4\x1dÔa]Í„9=!=\u00adET&üGùüý®æü•\u008dw¤M?=]yÍæLåÔ)¦Õm\x14\\\x16]m\flΙM-^ütýE„Õå" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe

"C:\Users\Admin\AppData\Local\Temp\a826b7ff08c2244f28a53e5266f566272af32569991ff6084eaba507de4dfa77N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 92.123.128.190:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puzylyp.com udp
NL 5.79.71.205:80 gatyfus.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 190.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gahyqah.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 104.21.30.183:80 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 69.162.80.55:80 lysyfyj.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 75.2.71.199:443 puzylyp.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 199.71.2.75.in-addr.arpa udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 55.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 205.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 178.162.203.202:80 gatyfus.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 178.162.217.107:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 211.203.162.178.in-addr.arpa udp

Files

C:\Windows\apppatch\svchost.exe

MD5 2654e4070c8eb24da99fcca250b217fa
SHA1 defeb127128af24d1e3691e51fd7e1f017756c34
SHA256 8d159dc29e585669f6f24c835ec38df7df98044d761f84d6f8c40fb3558c3c14
SHA512 8cd27c5ffa43e3b4d59ad0713c661314c44792ac2e8af99fbbd5446550315f738db015d8f5b158499352134baad368ec42bd337c1ac3ee5b061f29cb09439733

memory/2684-9-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4248-10-0x0000000002720000-0x00000000027C8000-memory.dmp

memory/4248-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4248-183-0x0000000002B40000-0x0000000002BF6000-memory.dmp