Malware Analysis Report

2024-10-16 07:01

Sample ID 240609-hy369sgb52
Target b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee
SHA256 b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee
Tags
evasion persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee

Threat Level: Known bad

The file b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee was found to be: Known bad.

Malicious Activity Summary

evasion persistence themida trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:09

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 07:09

Reported

2024-06-09 07:12

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 1976 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 1976 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 1396 wrote to memory of 372 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1396 wrote to memory of 372 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1396 wrote to memory of 372 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 372 wrote to memory of 4296 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 372 wrote to memory of 4296 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 372 wrote to memory of 4296 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4296 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4296 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4296 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe

"C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/1976-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1976-1-0x0000000077D04000-0x0000000077D06000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 fd583de1d7a1f183ec2e67762726000e
SHA1 b8b86524c244d7618be1332a0ff884ae13645d40
SHA256 65ffa68e274aae8ae88206f9f8f6f53071247284e204eacd8c04a56de395c251
SHA512 7e846ccdb412dae24c722aae2228985321f29d7ecf6e63815adf56a013d658c4c1dc7339a147175bf71eadc4e6adc886fd1cec8a059c3b1caeb8997d83dbca87

memory/1396-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 72f4b2b6a90b66ac4026fa76532c3da4
SHA1 79e10294c6a0b3a9c6a7bb62f3968f781279ba9f
SHA256 5cfa8884af006765bace66813902726c76433c30dc1b33b8028e61f50939cc89
SHA512 3e911bafdcf486c85818caf62504bd16db9a390e4aa09379ea3bb1d5a41eb0f61b66ee3d0739c1598df1705e2b29ee5530a28b1586838f2f6d93bd660e95b204

memory/372-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 ac971bd91a9b9de47588572d8dfd2e4c
SHA1 a933d9cd61c7846c201eeecaa110e33fd39abf68
SHA256 f5c5fb06d996703b41a1857f45ed02d4059ca1f7e80625e81a23377a6c23e3ac
SHA512 73184ad94016a65a7320b9fae66d777980a9f5c888ab8830b5bbc0004262f991ddf88b92f11f7e488c4c3d00ea499fe4f48668d01acc9651a6cd92bc45fc08f6

memory/4296-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1132-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1132-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/372-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1976-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1396-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4296-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1396-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4296-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4296-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1396-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:09

Reported

2024-06-09 07:12

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 2368 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe \??\c:\windows\resources\themes\explorer.exe
PID 2204 wrote to memory of 1216 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2204 wrote to memory of 1216 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2204 wrote to memory of 1216 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2204 wrote to memory of 1216 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1216 wrote to memory of 2152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1216 wrote to memory of 2152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1216 wrote to memory of 2152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1216 wrote to memory of 2152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2152 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2152 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2152 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2152 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2204 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2204 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2204 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2204 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2152 wrote to memory of 2736 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 2736 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 2736 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 2736 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1932 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1932 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1932 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 1932 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2152 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe

"C:\Users\Admin\AppData\Local\Temp\b32b461300613ce316a0d09a974e13acf2296c86050b747b5e679ea236f47bee.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:11 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:12 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:13 /f

Network

N/A

Files

memory/2368-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2368-1-0x0000000077970000-0x0000000077972000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 484237e764442e5b8017ffc8330f9514
SHA1 ece286e38ec31707329991a2685881d9ae1b86b8
SHA256 c1eba2910ff0c9e895c92fdbede33ddd623c77ffeb643f82f5dbfdefe94be4fa
SHA512 8454553433a1a00b5099727cbef442cbaa00e00b10cb7b818a91db2e2a783cede1213c43f71e438542f0bb37ffe716f063a9a4d32be5d1a2c84d00815dce6686

memory/2204-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2368-11-0x00000000035B0000-0x0000000003BBE000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 21836b87711f1dfb58ea8a6ec1468376
SHA1 447f751568dcb911858d6bb6c8e348afe0dc62fd
SHA256 ee28a3f2c15622192cf12d3566bb965057e5b8f7960ec8b506e80d3fc40f7386
SHA512 f8913edaafc707e7a52ed13aa3c4f6d3bcd393d65c41aefffba2404b090aca05f0aae53415aee12af08259ff08e1627315da9436b5e9d118f43af12406bc92c9

memory/2204-22-0x00000000035B0000-0x0000000003BBE000-memory.dmp

memory/1216-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 e0773a13cc7c1eec6dcdb71a176623d0
SHA1 c9f1d61d7115e51a346ce87677343449cf72b3a9
SHA256 8bb0f5910d2b1cdc0e3bf154fa24e5ee957daccd443cc0e095ce116d2913be9a
SHA512 4ab1c0e36d91aa0af747b832123bdc5c6c08fdcbd7884bce70f8d12e59a1aa07bf57b65db8c6bf18fcb474870aa1721e8d9f40f5aab6b2b607fb6ecabbcc8fd8

memory/1216-35-0x0000000003680000-0x0000000003C8E000-memory.dmp

memory/2152-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2152-43-0x0000000003510000-0x0000000003B1E000-memory.dmp

memory/2640-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2368-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2640-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1216-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2368-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-58-0x00000000035B0000-0x0000000003BBE000-memory.dmp

memory/2152-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2152-80-0x0000000000400000-0x0000000000A0E000-memory.dmp