Malware Analysis Report

2024-12-06 03:28

Sample ID 241022-raapgszhkn
Target c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105
SHA256 c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105
Tags
redosdru gh0strat discovery downloader loader rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105

Threat Level: Known bad

The file c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 was found to be: Known bad.

Malicious Activity Summary

redosdru gh0strat discovery downloader loader rat upx

Redosdru

Gh0st RAT payload

Gh0strat

Redosdru family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Deletes itself

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 13:58

Signatures

Redosdru family

redosdru

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 13:58

Reported

2024-10-22 14:01

Platform

win7-20240903-en

Max time kernel

119s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Redosdru

loader downloader redosdru

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
File created C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
File opened for modification C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
File created C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\92-3b-07-0d-6f-cf C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-3b-07-0d-6f-cf\WpadDecisionTime = 00f510918a24db01 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadDecisionTime = 00f510918a24db01 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadNetworkName = "Network 3" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-3b-07-0d-6f-cf\WpadDecisionReason = "1" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-3b-07-0d-6f-cf C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B} C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadDecision = "0" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadDecisionReason = "1" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2444 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2444 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2444 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2004 wrote to memory of 2160 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2004 wrote to memory of 2160 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2004 wrote to memory of 2160 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2004 wrote to memory of 2160 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe
PID 2004 wrote to memory of 3052 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 3052 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 3052 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Windows\SysWOW64\WerFault.exe
PID 2004 wrote to memory of 3052 N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe

"C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 344

Network

Country Destination Domain Proto
US 8.8.8.8:53 xiazai.caobibibi.com udp
HK 156.241.7.116:7744 xiazai.caobibibi.com tcp
US 8.8.8.8:53 bj.caobibibi.com udp
HK 154.213.24.14:10087 bj.caobibibi.com tcp
US 8.8.8.8:53 user.qzone.qq.com udp
HK 43.129.115.16:80 user.qzone.qq.com tcp
HK 43.129.115.16:443 user.qzone.qq.com tcp
US 8.8.8.8:53 i.qq.com udp
HK 43.135.106.65:80 i.qq.com tcp
HK 43.135.106.65:443 i.qq.com tcp
US 8.8.8.8:53 www.microsoft.com udp
HK 154.213.24.14:10087 bj.caobibibi.com tcp
HK 43.129.115.16:80 user.qzone.qq.com tcp
HK 43.129.115.16:443 user.qzone.qq.com tcp
HK 43.135.106.65:80 i.qq.com tcp
HK 43.135.106.65:443 i.qq.com tcp

Files

C:\Program Files\AppPatch\8.77.dll

MD5 0a74e0bffbce3cc5466796739cfdeb44
SHA1 c3b50df0a1de18b7053bff1b0293f5512f824055
SHA256 cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30
SHA512 9fb4f39d95820f63da2d8767b76f317c512a8db1b86428f04baf4b163d0deaee5c4726c9f66807a3b1c223d575557fabc88e0cde73a4561b304f6edd76b8cc36

memory/2444-5-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2444-9-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2444-8-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2444-10-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2312-25-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2312-24-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2312-26-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2312-21-0x0000000010000000-0x000000001034B000-memory.dmp

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

MD5 90d83bbad8110780e90b8f0beab172f9
SHA1 0ced0e716b07945787bf78ae6296a5f24bfdbe59
SHA256 c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105
SHA512 92d4a6697644925176852c2b43bf297b16afadc2a993c135b5aa9df3c74a280bfb7cde883c6bf5c8b06202ff55168997dcf89ef2e791a3aeaca3cb09b6ac7707

memory/2004-33-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2004-44-0x0000000010000000-0x000000001034B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Windows\Temp\TarEA35.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1e481531d370555005513c35d35df417
SHA1 38683f3bc01ad479fa10fbd1b921a5a722f6ac42
SHA256 a92c7b5f0c76e0b8840088ae9c0e9eb611027089e0d4a90be1484b348ec5a409
SHA512 6bfe3588d3b3bccca48e9c17bfd028c5c992c66859509aac8347c6eedab0126bdd0813c155b721e097f9cb4dc24ccd8edd42ce41aa564232111e8cca413bbec6

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-22 13:58

Reported

2024-10-22 14:01

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Redosdru

loader downloader redosdru

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_BC1D0671A6396D650996E0E6013A6D37 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_BC1D0671A6396D650996E0E6013A6D37 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\conhostdhfw.exe C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
File created C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
File opened for modification C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Windows NT\conhostdhfw.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\conhostdhfw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe

"C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1688 -ip 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 xiazai.caobibibi.com udp
HK 156.241.7.116:7744 xiazai.caobibibi.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 116.7.241.156.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bj.caobibibi.com udp
HK 154.213.24.14:10087 bj.caobibibi.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 user.qzone.qq.com udp
HK 43.159.234.61:80 user.qzone.qq.com tcp
HK 43.159.234.61:443 user.qzone.qq.com tcp
US 8.8.8.8:53 61.234.159.43.in-addr.arpa udp
US 8.8.8.8:53 i.qq.com udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
HK 43.135.106.77:80 i.qq.com tcp
HK 43.135.106.77:443 i.qq.com tcp
US 8.8.8.8:53 77.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
HK 154.213.24.14:10087 bj.caobibibi.com tcp
HK 43.159.234.61:80 user.qzone.qq.com tcp
HK 43.159.234.61:443 user.qzone.qq.com tcp
HK 43.135.106.77:80 i.qq.com tcp
HK 43.135.106.77:443 i.qq.com tcp

Files

C:\Program Files\AppPatch\8.77.dll

MD5 0a74e0bffbce3cc5466796739cfdeb44
SHA1 c3b50df0a1de18b7053bff1b0293f5512f824055
SHA256 cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30
SHA512 9fb4f39d95820f63da2d8767b76f317c512a8db1b86428f04baf4b163d0deaee5c4726c9f66807a3b1c223d575557fabc88e0cde73a4561b304f6edd76b8cc36

memory/2680-5-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2680-8-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2680-9-0x0000000010000000-0x000000001034B000-memory.dmp

C:\Program Files (x86)\Windows NT\conhostdhfw.exe

MD5 90d83bbad8110780e90b8f0beab172f9
SHA1 0ced0e716b07945787bf78ae6296a5f24bfdbe59
SHA256 c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105
SHA512 92d4a6697644925176852c2b43bf297b16afadc2a993c135b5aa9df3c74a280bfb7cde883c6bf5c8b06202ff55168997dcf89ef2e791a3aeaca3cb09b6ac7707

memory/2680-12-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2680-10-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2956-27-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2956-26-0x0000000010000000-0x000000001034B000-memory.dmp

memory/1688-29-0x0000000010000000-0x000000001034B000-memory.dmp

memory/1688-32-0x0000000010000000-0x000000001034B000-memory.dmp

memory/1688-33-0x0000000010000000-0x000000001034B000-memory.dmp

memory/1688-34-0x0000000010000000-0x000000001034B000-memory.dmp

memory/1688-35-0x0000000010000000-0x000000001034B000-memory.dmp

memory/1688-48-0x0000000010000000-0x000000001034B000-memory.dmp