Malware Analysis Report

2024-10-16 07:01

Sample ID 240610-qaspmaxbjk
Target 6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39
SHA256 6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39

Threat Level: Known bad

The file 6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:03

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:03

Reported

2024-06-10 13:06

Platform

win7-20240221-en

Max time kernel

151s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 1164 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1164 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1164 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1164 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2652 wrote to memory of 2484 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2484 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2484 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2484 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2484 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2484 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2484 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2484 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1164 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1164 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1164 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1164 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2484 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2604 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2904 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2904 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2904 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 2904 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe

"C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:06 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:07 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:08 /f

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2032-1-0x00000000776B0000-0x00000000776B2000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 1111d298af0069b2f7dd9257690471a3
SHA1 9cb1d6519e6de5c46e8f7b3d92b052be0937ebe6
SHA256 c5bbceb45212cbabe854eb9ffee064e30028508efb4c396ee95a072873f14b86
SHA512 b4ea6091438a55ed760d793cd3bcfd437db76635fcc93c1d8283cbb13f820776f5da63d65b11aeb0a5578de3cb2b12f7b54715289aa8a8739981f1a7df70ee65

memory/1164-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 bb7e0ab3faa878c92c6fc72b688f68fb
SHA1 b65269b81c93c0daf87df065ab57397c28798749
SHA256 61f9b67481924d758e1ba272c373b9ebda63f57f261a73a7d046ef30de30be43
SHA512 c92333b0e0f4f19300fe678839926580ab4a2b9242582af77b8e740eaef6997d4fa084a3cbf01dc43d57feaa44d4538f9b734b67cde7dbf4fc62f3a7e3bd0d47

memory/1164-22-0x0000000003460000-0x0000000003A6E000-memory.dmp

memory/2652-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 82d5e6f6af29375a27942562b7f6f952
SHA1 2084c22f6a66eb63ab95cbe021d4b0d1eae11155
SHA256 6f79bad21d6bae6794d1c873e7d07a68bf13d17dd503b60a014f16c2abc6f011
SHA512 8ea645a37fe629a8c112d753048beaa8ee7980be5ab4b0105863fc36bc0090b852a27671c1cf4e0b8599397d48fa024a073d19a8a73f517381ee945f78357841

memory/2652-34-0x00000000033F0000-0x00000000039FE000-memory.dmp

memory/2484-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2032-44-0x00000000032A0000-0x00000000038AE000-memory.dmp

memory/2716-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2032-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2716-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2652-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2032-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1164-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1164-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2484-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1164-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2484-72-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1164-73-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 13:03

Reported

2024-06-10 13:06

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 1628 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 1628 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe \??\c:\windows\resources\themes\explorer.exe
PID 4748 wrote to memory of 1524 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4748 wrote to memory of 1524 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4748 wrote to memory of 1524 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1524 wrote to memory of 1184 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1524 wrote to memory of 1184 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1524 wrote to memory of 1184 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1184 wrote to memory of 1140 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1184 wrote to memory of 1140 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1184 wrote to memory of 1140 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe

"C:\Users\Admin\AppData\Local\Temp\6731b2508858a317a0adbd38e3a730eba52ca1904e2bd59cb985b93481481e39.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Files

memory/1628-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1628-1-0x0000000077E64000-0x0000000077E66000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 9b1cc84e1e7059778c58dd183a30bbc5
SHA1 e5f2e292be3f88fee9c46683e23e210216ca3015
SHA256 cd22390fb0ba7cdd2715c9bcd44185d64b66cccb38a17c6c894f5c6989d1700b
SHA512 dc8a8995cb1d1fab8d4fdac2d3f79aac8a6c2af84af2fa9cb7a0668d631b2792d5ab972af5ecec94e9c0abac560675fb117b22f66dbb7b7d950dda4c09d892bd

memory/4748-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 b8df372cc5e6f1aa2f4b3ee6af51fb61
SHA1 747da110f24358fc3729c5cdfa9105f43cdc377e
SHA256 e74e67be362be3b9ef0115f7ccb6ba198023aedd406559fa29189220ecab4489
SHA512 8663c230fdcfe6af1e5de937561f565e387ed25abb64e2fdcf51f35467ede55b5920c8545e8331e77e7fd8abffaaa60afd7fa1dc53b1b605c5736cfc6af256c2

memory/1524-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 81f625ff5f8eb03687e6833d4793817a
SHA1 9faa153913e80308de7d3d46d2c1a50814819016
SHA256 fabbdd6cbaee585b6484b9d126ca35b798336ea957bcf8f8f0db3d70cdd36c2a
SHA512 8c564e0cac338806ff7d39b992c47386d68a08583cb5bb2ec022c7796f874bcced1613b597e3e048924f85dacdb769e8e5f402d1f73ab859f908263c73a67e8c

memory/1184-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1140-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1140-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1524-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1628-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4748-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1184-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4748-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4748-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1184-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1184-65-0x0000000000400000-0x0000000000A0E000-memory.dmp