Malware Analysis Report

2024-10-10 07:59

Sample ID 240611-2ykjpsvgkj
Target 6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6
SHA256 6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6

Threat Level: Known bad

The file 6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:59

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:59

Reported

2024-06-11 23:01

Platform

win7-20240215-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2972 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2972 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2972 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2968 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2968 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2968 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2968 wrote to memory of 2652 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2652 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2672 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2672 wrote to memory of 2684 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2684 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2684 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2672 wrote to memory of 2684 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2968 wrote to memory of 2524 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2968 wrote to memory of 2524 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2968 wrote to memory of 2524 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2968 wrote to memory of 2524 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2672 wrote to memory of 2868 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2868 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2868 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2868 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2256 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2256 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2256 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2256 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe

"C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:01 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:02 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:03 /f

Network

N/A

Files

memory/2972-0-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2972-1-0x0000000077790000-0x0000000077792000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 b1915f089f1eb9ea7ed9e2feed781401
SHA1 f6a0b8072ead0384ded4217594d76241c1b703da
SHA256 0bbc8831bf5a5d719fe2aa6a3f8679956d7179903f6ca81fab5d762bf4f3e1ab
SHA512 27722d6643054cb0151f88c096bc3cc9e40eeb830d12a193f38134310fc147f515cb589a37e6aaa630b12ef132abf86938f81f35964152cd4e1c0ff08fe08db2

memory/2968-12-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2972-11-0x0000000003830000-0x0000000003E46000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 f334ed71d1b9fbfd9705a6177e84c377
SHA1 514e649ce4bda38e187254de87823a0b46896da4
SHA256 2ad572a8020d02d875977035f01693c275fb0c361e323e4bd385525b26b862b6
SHA512 b2a9b2f890b58665c9aefbfc68ceaca418bd3bffca96a737cb8343e21e06ce354cc28d10338ea7fd2220d63984f7704cf99d2ae1842355cb5a933d44a04409b9

memory/2652-24-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2968-22-0x0000000003620000-0x0000000003C36000-memory.dmp

\Windows\Resources\svchost.exe

MD5 a7680b34864a46ff1941a6b71d21ed11
SHA1 41ca5b8dc4424a17cb56ede75b155550c132aa98
SHA256 1985df6ed5f8289b16eaff6775cc847c4149fa4d2427548b8024ae0c2de2c301
SHA512 7466fadb36a59827013a101a4f09b0f46a484e08af7cebbb38ce953268e50c7fb90b74a48ca686ac2f30eb7c40278706a94427e5e7caf44aa42d1d1d93a39703

memory/2652-35-0x0000000003630000-0x0000000003C46000-memory.dmp

memory/2672-36-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2972-43-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2972-45-0x0000000003830000-0x0000000003E46000-memory.dmp

memory/2684-44-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2684-51-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2652-52-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2972-53-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2968-54-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2968-55-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2672-56-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2968-61-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2968-63-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2968-67-0x0000000000400000-0x0000000000A16000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:59

Reported

2024-06-11 23:01

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2456 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2456 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe \??\c:\windows\resources\themes\explorer.exe
PID 3412 wrote to memory of 4836 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3412 wrote to memory of 4836 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3412 wrote to memory of 4836 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4836 wrote to memory of 2980 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4836 wrote to memory of 2980 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4836 wrote to memory of 2980 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2980 wrote to memory of 1316 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2980 wrote to memory of 1316 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2980 wrote to memory of 1316 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe

"C:\Users\Admin\AppData\Local\Temp\6909d24839e61bb0d65cfd9cff3171322f689ba4b8735e8902190d49953145c6.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2456-1-0x0000000077CA4000-0x0000000077CA6000-memory.dmp

memory/2456-0-0x0000000000400000-0x0000000000A16000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 2959436000f46ef0d1c8ce85e92d631a
SHA1 61498f1a148b768ad86cf5557d1f0c54eab6b55e
SHA256 ebe4890a78511b9fbef38fa2709ca5c8a97336929c63b88d94f8eda01adba3b4
SHA512 2787582fc8f0ce2162ecbfc7f75c890d6206cfb6b7c81d65db03a40890708adea2c7dfabf01a70fdf95b0a7511514b335332ca827fd375ad93203aafb3fd8c13

memory/3412-10-0x0000000000400000-0x0000000000A16000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 6710bcffafba4f574faee9b434df12f2
SHA1 f091684ea11e57fef195d0404dad56317ed0bc1a
SHA256 f942d4da1c36955074af758ff8e75a203699f4518c30a1258778774109a52e94
SHA512 c15af5ca3416eaa39007d9f4f58788b05665298f4ade5287a56e83571f421ed6ae7ba2d3ba7adc2be6836d7fbeda62d02200db22082db5280d8cd3be632a05c6

memory/4836-19-0x0000000000400000-0x0000000000A16000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 6ef1500a3d72bc65e30baebaf46b3f9a
SHA1 f89d3023681c54d95381cf0f7ff6be09696ca75c
SHA256 0534b5139c62cc36e36735143648c35e0c3b9ae85d3027cf08224d375c025996
SHA512 5aa7e935a307f691af4749770ab06ef71cd794f4e855c9001d253f87dbefd07f5673cc3f8e19843e2a54c47a0709101a016f5a0fcd42464dec72702a439f6a3f

memory/2980-28-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/1316-33-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/1316-38-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2456-42-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/4836-41-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/3412-43-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2980-45-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/3412-52-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/3412-56-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2980-61-0x0000000000400000-0x0000000000A16000-memory.dmp

memory/2980-65-0x0000000000400000-0x0000000000A16000-memory.dmp