Malware Analysis Report

2024-10-10 08:09

Sample ID 240610-17qawatcjr
Target 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969
SHA256 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969

Threat Level: Known bad

The file 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Loads dropped DLL

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:17

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:17

Reported

2024-06-10 22:20

Platform

win7-20240419-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 1340 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 1340 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 1340 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 3064 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3064 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3064 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3064 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2144 wrote to memory of 2764 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2144 wrote to memory of 2764 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2144 wrote to memory of 2764 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2144 wrote to memory of 2764 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2764 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2764 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2764 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2764 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3064 wrote to memory of 2700 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3064 wrote to memory of 2700 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3064 wrote to memory of 2700 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3064 wrote to memory of 2700 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2764 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 1648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 576 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 576 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 576 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 576 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe

"C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:19 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:20 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:21 /f

Network

N/A

Files

memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1340-1-0x0000000077D30000-0x0000000077D32000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 97564e26e9c554f6a3a9a9c71adafb99
SHA1 9d560a6a5b4e6fcfa4e157b2bdd51d3ef47e3a82
SHA256 8ddadd59e5b8979484fabd3c4be72c81b35151b3f5fb2b7adf3d6b184ad377c7
SHA512 1e55e5dcc0a9f06063e51d0b3933ddbf0c587429c17aa88d2be17cf17c6839bd362d502c538318e80a1f5540faa504883677040f02b6bf223359e24a3337143d

memory/3064-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1340-11-0x0000000003690000-0x0000000003C9E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 8f4c5125431da56365af82a612ed9059
SHA1 e3ecb7c3e55f5fad19e293bbdcf3ad1563dc3955
SHA256 81521135ee0212156746a5ab7f9e9ab56bf23cd7efcd808f0e286b81d18aa301
SHA512 eec0163d2715079ff2be150269dacee08f1df912ca3dbbdfe014323e9b451519e25f7d8b6c422955625f693bb6595d442e15dbbae53634e583109e11c5d611ce

memory/2144-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3064-22-0x00000000037A0000-0x0000000003DAE000-memory.dmp

\Windows\Resources\svchost.exe

MD5 b2931571958c9af8b32bb6e9285a4d9c
SHA1 5e9802490c94944ad1b8d7b3c1e6eb3d5df09e1c
SHA256 dea7f9dae26687ead751b9288a885aa8826514fe3fcee14ee0fa3fc24132f0f6
SHA512 b1b21c2d824eb8db4598f9fd34d998fdfe0c36f0394b3bd658b55af213200114ad2e3f779ecf3cfe609b40afed73e2f729756cc74c4da83c6a9f67b7b42f11a2

memory/2144-35-0x00000000036D0000-0x0000000003CDE000-memory.dmp

memory/2764-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1340-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2764-43-0x0000000003440000-0x0000000003A4E000-memory.dmp

memory/2832-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2832-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2144-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1340-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3064-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2764-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3064-57-0x00000000037A0000-0x0000000003DAE000-memory.dmp

memory/3064-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3064-68-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3064-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:17

Reported

2024-06-10 22:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 3552 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 3552 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe \??\c:\windows\resources\themes\explorer.exe
PID 3220 wrote to memory of 768 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3220 wrote to memory of 768 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3220 wrote to memory of 768 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 768 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 768 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 768 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 984 wrote to memory of 4532 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 984 wrote to memory of 4532 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 984 wrote to memory of 4532 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe

"C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Files

memory/3552-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3552-1-0x0000000077C34000-0x0000000077C36000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 127d0b386ddd86e105992092e8740dcc
SHA1 74483d6e5cb7c43623cd8e2e55506ac99d853e4d
SHA256 cffe3d7f75baff050a75a0fb57a69cc491604826cc87eccc4b368155cf411b55
SHA512 1b3cfe652c08cb463c406332b0ab3dd82e0316d0f4a6e3fa9144bb627d341e8871c2cb27e0d3ac012922b85bbf9580499182b991eb35e801c1801a281601a4ff

memory/3220-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 33952705473f33187489f6edeebb1dbe
SHA1 d5bfa33226abad8b703f9188b6ce39a3680a2cc6
SHA256 7a39b950c71683c120f3ed4473989c55bf13fea01164470fda5c3d0a4d358db3
SHA512 9d5cf33922cd958ac2bf42d220558e6d0cd8afec4ffaecd2c00471f6e2a21ac385cdd15eba628feae3bd7e072e93baceb8cb58e95d811b26b037f8dde3328226

memory/768-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 9a4c8e1f8ed361759e7cdd6c6ef0c15d
SHA1 0e2da952bccfab75e059b0add55107d70feda531
SHA256 79b9780d97554faea8c0d4cdb1bf279731fb31877f35d95e433bf099511bb9d2
SHA512 423d1d97fb0bba2f23a54c603938b3a4a816bc231328070bf1a6959359345008eef906ba2c16b3f2345da584767fd1a20aab1712f5eba78ce75365169ca0b9ab

memory/984-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4532-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4532-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3552-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/768-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3220-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/984-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3220-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3220-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3220-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/984-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/984-65-0x0000000000400000-0x0000000000A0E000-memory.dmp