Malware Analysis Report

2025-08-05 21:25

Sample ID 231221-1pp76abfc3
Target 0653a11e9915e895339ae0b1e1b4b15b
SHA256 0d22dd434899945a1d3c38e17dbf83a2dae6296ec094c273b2f10a0cc7767fc3
Tags
vmprotect upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d22dd434899945a1d3c38e17dbf83a2dae6296ec094c273b2f10a0cc7767fc3

Threat Level: Shows suspicious behavior

The file 0653a11e9915e895339ae0b1e1b4b15b was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect upx

VMProtect packed file

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-21 21:49

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 21:49

Reported

2023-12-21 23:26

Platform

win7-20231215-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Appearance\Schemes C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\Appearance\Schemes C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2612 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2668 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2040 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2040 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2040 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2980 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2980 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2980 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2980 wrote to memory of 1640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1624 wrote to memory of 1116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1624 wrote to memory of 1116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1624 wrote to memory of 1116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1624 wrote to memory of 1116 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2448 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2448 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2448 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2124 wrote to memory of 592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2124 wrote to memory of 592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2124 wrote to memory of 592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2124 wrote to memory of 592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2248 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe

"C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c sc config "UxSms" start= demand

C:\Windows\SysWOW64\net.exe

net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\sc.exe

sc config "UxSms" start= demand

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\cmd.exe

cmd /c net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\cmd.exe

cmd /c net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\cmd.exe

cmd /c net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v Composition /t reg_dword /d 00000001 /f

C:\Windows\SysWOW64\net.exe

net stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v CompositionPolicy /t reg_dword /d 00000002 /f

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net stop uxsms

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop uxsms

C:\Windows\SysWOW64\net.exe

net start uxsms

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start uxsms

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net.exe

net start "Desktop Window Manager Session Manager"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"

Network

Country Destination Domain Proto
US 8.8.8.8:53 560ka.com udp
US 8.8.8.8:53 www.qsjwg.com udp
HK 154.202.59.188:80 www.qsjwg.com tcp
HK 154.202.59.188:80 www.qsjwg.com tcp
US 8.8.8.8:53 yz.gybfz.com udp
US 8.8.8.8:53 xzm.0591ibm.com udp
US 8.8.8.8:53 km6.nuoyuntech.com udp
US 8.8.8.8:53 www.heibaikm.com udp
HK 45.144.139.252:80 www.heibaikm.com tcp
US 8.8.8.8:53 www.449km.com udp
CN 111.223.15.134:80 www.449km.com tcp
US 8.8.8.8:53 www.866qk.com udp
CN 42.56.81.104:443 www.866qk.com tcp
CN 118.212.235.102:443 www.866qk.com tcp
CN 119.167.229.233:443 www.866qk.com tcp
CN 122.189.171.140:443 www.866qk.com tcp
CN 123.234.2.80:443 www.866qk.com tcp
US 8.8.8.8:53 www.6sw6.com udp
CN 120.55.86.76:80 www.6sw6.com tcp

Files

memory/2248-1-0x0000000000400000-0x0000000000FBF000-memory.dmp

memory/2248-0-0x0000000000400000-0x0000000000FBF000-memory.dmp

memory/2248-3-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-5-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-4-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-7-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-9-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-11-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-14-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-18-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-16-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-21-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-27-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-25-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-31-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-34-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-44-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-46-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-42-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-48-0x0000000000400000-0x0000000000FBF000-memory.dmp

memory/2248-50-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-40-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-38-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-36-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-29-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-23-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2248-52-0x00000000035C0000-0x0000000003C34000-memory.dmp

memory/2248-53-0x00000000035C0000-0x0000000003C34000-memory.dmp

memory/2248-57-0x0000000010000000-0x000000001003F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 7c048eaacd1820ac933dccc0b872fa05
SHA1 955999eb7463f7e4031d551e24fbd1e1fb812197
SHA256 614d7a9ca519b3aa741a512e95f6f99aedd25e8c1630d30d13dd9735b562b3be
SHA512 09f35a1a69344e64b13f0a54ecc82cd7dd1ee9124bfc274fcd5fe8af2a07e30bbf0841d9230591cbbe12bc8f066f5f36e1577b82d5d1f3f0eb6b9b5154ce5d4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 29e0e345438882a935d2c0baff457f6c
SHA1 aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a
SHA256 0c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6
SHA512 8b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 79c80670a1f627e86c477f22bd2401a0
SHA1 bff9611be80b049401721d51c89f6ab36436ecec
SHA256 efba6b2855bd351e2d47ca88a3b0e5c664146375262f0fb38f6eefb0809d7eaa
SHA512 8afa82b401b1f35433f3187d13b46bd8638884de5f11f7a8b207e304290a077d45511faf5c0bc15025995c797537ad5c67b4b1683ef0ebc43e20d03834be20ea

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 b65aeb1b3da0b96313cc6e10dde4afe0
SHA1 34039989280d6d5a45793deaab79665c79b74b8d
SHA256 0254d776e25aeb83f195aacc7d477cd37683932586b27fdb7f09836d08296a3c
SHA512 be5c22848ee3491061feaab9c8e708e04e5d34bc0d8b46e816e059e6616c0114cfe5f40aee935f9d5dee546a990efa3bca00bdec03bcc29fedad37d0dbda95ea

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 05471356f0ea1c0f5f5b8deb29c3ebd1
SHA1 12b14b737d1e0f76ca2494fb7a6841e5792a0504
SHA256 cf59479c75a8803468dd2a2c1d2803a2694c41992d5a0b3b65b1c69c28d1eac7
SHA512 942285259612792c2b3a45a65483e0775314841e397e815d447fd8f69f63f5de1ac48653a051c0121bd73415655c468772d39ce72bb1ba3d8ae367f78143502b

memory/2248-715-0x0000000010000000-0x000000001003F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.bat

MD5 21a67af3a0e70534daf91c971545bc80
SHA1 23141575d04651a2cd778a33732805c468033ef0
SHA256 940dd6c2693be78a671cad250f75a5b5324b3350e2b2fc1cfc098293b934fdb3
SHA512 b79f1dd26beee4a6995b0d67f112e4dff152d05822e8482579b6bdbd414b06cfbdeb6f55f4cb41d1821e6e7b98bfa3852e1d163355b3de5cd985373f8a333e66

memory/2248-736-0x00000000035C0000-0x0000000003C34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 21:49

Reported

2023-12-21 23:26

Platform

win10v2004-20231215-en

Max time kernel

157s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe

"C:\Users\Admin\AppData\Local\Temp\0653a11e9915e895339ae0b1e1b4b15b.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.qsjwg.com udp
US 8.8.8.8:53 560ka.com udp
US 8.8.8.8:53 xzm.0591ibm.com udp
US 8.8.8.8:53 km6.nuoyuntech.com udp
US 8.8.8.8:53 www.heibaikm.com udp
HK 154.202.59.188:80 www.qsjwg.com tcp
HK 45.144.139.252:80 www.heibaikm.com tcp
US 8.8.8.8:53 www.449km.com udp
HK 154.202.59.188:80 www.qsjwg.com tcp
HK 154.202.59.188:80 www.qsjwg.com tcp
CN 111.223.15.134:80 www.449km.com tcp
US 8.8.8.8:53 252.139.144.45.in-addr.arpa udp
US 8.8.8.8:53 188.59.202.154.in-addr.arpa udp
US 8.8.8.8:53 yz.gybfz.com udp
US 8.8.8.8:53 www.866qk.com udp
CN 218.29.50.234:443 www.866qk.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
CN 58.144.226.248:443 www.866qk.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CN 36.248.54.85:443 www.866qk.com tcp
CN 42.7.60.104:443 www.866qk.com tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
CN 118.212.235.102:443 www.866qk.com tcp

Files

memory/4696-0-0x0000000000400000-0x0000000000FBF000-memory.dmp

memory/4696-1-0x0000000000400000-0x0000000000FBF000-memory.dmp

memory/4696-4-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-5-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-8-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-6-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-10-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-12-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-15-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-17-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-19-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-21-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-23-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-25-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-26-0x0000000000400000-0x0000000000FBF000-memory.dmp

memory/4696-28-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-30-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-32-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-34-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-36-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-39-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-42-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-44-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-46-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-48-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-50-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-51-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-53-0x0000000003AE0000-0x0000000004154000-memory.dmp

memory/4696-54-0x0000000003AE0000-0x0000000004154000-memory.dmp

memory/4696-59-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4696-60-0x0000000003AE0000-0x0000000004154000-memory.dmp