Analysis Overview
SHA256
9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898e
Threat Level: Known bad
The file 9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN was found to be: Known bad.
Malicious Activity Summary
simda
Simda family
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 09:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 09:09
Reported
2024-11-05 09:11
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\101d2b2d = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\lysyfyj.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lygynud.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\qetyfuv.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\gahyqah.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2036 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2036 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2036 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe
"C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.22.249.29:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ww5.galyqaz.com | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 13.248.148.254:80 | ww5.galyqaz.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
Files
memory/2036-0-0x0000000000230000-0x0000000000233000-memory.dmp
memory/2036-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\AppPatch\svchost.exe
| MD5 | 25d8b94ff586820f54312e7dc9290cfc |
| SHA1 | 99db7e5fe45efe50d590e7c8e437c1b0653d17e7 |
| SHA256 | 0ba46860e72835f18b1ee41f721dede256719c36bf7806d21a619154fe68b9dd |
| SHA512 | d11479bf47ba6ffb9903ce2a0a499b3e4300ce2024d61e7add7c9e65e448d1809ff51dc40209271678a05bc4ee3796c4865542bb95747a65165f723b9876df88 |
memory/2036-14-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2036-15-0x0000000000230000-0x0000000000233000-memory.dmp
memory/2408-16-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2408-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2408-28-0x0000000002360000-0x000000000240A000-memory.dmp
memory/2408-29-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2408-26-0x0000000002360000-0x000000000240A000-memory.dmp
memory/2408-25-0x0000000002360000-0x000000000240A000-memory.dmp
memory/2408-22-0x0000000002360000-0x000000000240A000-memory.dmp
memory/2408-20-0x0000000002360000-0x000000000240A000-memory.dmp
memory/2408-18-0x0000000002360000-0x000000000240A000-memory.dmp
memory/2408-30-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-32-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-34-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-38-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-47-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-82-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-81-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-80-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-79-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-78-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-77-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-76-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-75-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-74-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-72-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-71-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-70-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-69-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-68-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-67-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-66-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-65-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-64-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-63-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-62-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-61-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-59-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-58-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-57-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-56-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-55-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-54-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-53-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-52-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-51-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-50-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-49-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-48-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-46-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-45-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-73-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-44-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-43-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-60-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-42-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-41-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-40-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-39-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-36-0x0000000002510000-0x00000000025C7000-memory.dmp
memory/2408-37-0x0000000002510000-0x00000000025C7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 09:09
Reported
2024-11-05 09:12
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e1fea6a7 = "C:\\Windows\\apppatch\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\lymyxid.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\gahyqah.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lysyfyj.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\galyqaz.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupydeq.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vocyzit.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\vonypom.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\puzylyp.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\pupycag.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\lygynud.com | C:\Windows\apppatch\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\qetyfuv.com | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 3108 wrote to memory of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
| PID 3108 wrote to memory of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe
"C:\Users\Admin\AppData\Local\Temp\9f192763f3fad8f3f9944bd7d29824f5c6319dc1adf15036019fd33783bb898eN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.22.249.55:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 55.249.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| CN | 103.150.10.48:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3108-0-0x0000000000600000-0x0000000000603000-memory.dmp
memory/3108-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 9673caed98891ccdd75811f0537845d3 |
| SHA1 | 58a8e90cf24a77d82f6195b3e32ceab7681baadf |
| SHA256 | ccfb2c044df8c2e0c78f42ff6c8e809171e0948e34d64ce8e2e5edea27ec7c93 |
| SHA512 | 9a3587e2883245cd18b750462f0ef77e0102c9ac5f4f9539b775703b8283d5e93ea8d30a09aec53a49884ac04c9dcdf126164ddb327f338e9c0afc2fe997f49c |
memory/3108-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3108-14-0x0000000000600000-0x0000000000603000-memory.dmp
memory/3604-16-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3604-17-0x0000000002740000-0x00000000027EA000-memory.dmp
memory/3604-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3604-19-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-21-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-23-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-62-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-70-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-71-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-80-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-79-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-78-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-77-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-76-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-75-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-74-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-73-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-72-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-69-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-68-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-67-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-66-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-65-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-64-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-63-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-61-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-60-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-59-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-57-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-56-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-55-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-54-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-53-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-52-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-51-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-50-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-49-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-48-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-47-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-46-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-45-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-44-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-42-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-41-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-40-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-39-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-38-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-37-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-36-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-35-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-34-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-33-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-32-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-30-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-29-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-28-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-25-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-26-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-24-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-58-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-43-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-31-0x0000000002B40000-0x0000000002BF7000-memory.dmp
memory/3604-27-0x0000000002B40000-0x0000000002BF7000-memory.dmp