Malware Analysis Report

2024-10-16 07:01

Sample ID 240610-pgb5sabb54
Target 560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94
SHA256 560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94

Threat Level: Known bad

The file 560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:17

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:17

Reported

2024-06-10 12:20

Platform

win7-20240221-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2940 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2588 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2588 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2588 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2588 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2588 wrote to memory of 2680 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2680 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2372 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2940 wrote to memory of 2372 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2940 wrote to memory of 2372 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2940 wrote to memory of 2372 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2680 wrote to memory of 2824 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2824 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2824 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2824 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2232 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2232 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2232 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2232 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe

"C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:19 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:20 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:21 /f

Network

N/A

Files

memory/2456-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2456-1-0x0000000077B10000-0x0000000077B12000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 d16c747a4a4cc7a5b3d48f65c0127002
SHA1 d63f5a407525b7b51a9a08fb193392800abd7388
SHA256 2601c29aba1df49589650e57192264beaeb4071f0e6d416e44424b18d060a82c
SHA512 969504178ca0a8bfb7ef9113657ab6d2195e53db3f279e21765933cd79ca5c5a2ae9f92671444be978e43f8b7614233d724197be05c357801bcae4a0ce4a2002

memory/2940-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 da71a1df399422a0227810021aa32ba7
SHA1 97bd69948f5358dfa974d4ce254f189365fece03
SHA256 f507791ffe0903bf2d13b3e7ce7f199b7d2aaab154140536cc5c506697d9943a
SHA512 cea6a20e57e7dab355b68b18582d49344f7683af1c448e4a428d322018f807f46a2787c74252c056c82f35860fd8feb08b4bd29009beb2acf863639323b679d0

memory/2940-22-0x0000000003380000-0x000000000398E000-memory.dmp

memory/2588-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 b86a797efbe0f39c4a4c59bc14d5937a
SHA1 a4cf7792b754cd645ddcd16167a01ece1e4aff0e
SHA256 6448aaaa2f08462c5636833d4d11977359af17091bd2adf8866fa5e222fa7860
SHA512 c477f230e40643202433f1ef8fd4d88aa8a941ce9b9a9f2351bbd629c4119e38a7c0f85ed8297809a93e2e6bef83454ffbdcbeb5fc8ce6f7bfea5ea0672ae91e

memory/2588-34-0x0000000003240000-0x000000000384E000-memory.dmp

memory/2680-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2456-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2548-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2588-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2456-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2940-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2940-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2680-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2940-55-0x0000000003380000-0x000000000398E000-memory.dmp

memory/2680-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2940-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2940-72-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2940-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:17

Reported

2024-06-10 12:20

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2700 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2700 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe \??\c:\windows\resources\themes\explorer.exe
PID 2396 wrote to memory of 3628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2396 wrote to memory of 3628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2396 wrote to memory of 3628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3628 wrote to memory of 1008 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3628 wrote to memory of 1008 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3628 wrote to memory of 1008 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1008 wrote to memory of 4332 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1008 wrote to memory of 4332 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1008 wrote to memory of 4332 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe

"C:\Users\Admin\AppData\Local\Temp\560688888a1a43907c7acdfa965ba262b5633d5bab650b8a2d5f9f6f16d06a94.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2700-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2700-1-0x0000000077C04000-0x0000000077C06000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 417444b0b8ec4cd44db6e171ddadcec0
SHA1 6fdb46eb887951c30099e9def6513137b7790bed
SHA256 8f0f1da53a4dc7bc5cf804693f228bf65094bd59393e47c8cdd6d0b63dc78ed8
SHA512 099f5d6a595400c6060e8286fc8a41713a1d3bc99c04a9cfffe1264f80c817c4c2b29d09336ce1afe096300bea3330cfd957726f3280e82cfdafa91d53b6ad13

memory/2396-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 3462f14836f121368168a29bcd8c3a80
SHA1 45bdfbb1c8ad121096b65d3f3a9e3e5982066344
SHA256 0d440772f86f53d20af4cfafbf724ac8ca565d9c96ea6dacbd2ea777a66538c3
SHA512 1fa58dc0e9b30a48374bd443531578d849de64f44d0f382ae9d5ae1b0c93bf3d6be67957f613a0542a6f4d4106cf4c819c07847092bba7796e837d64e6abc9e4

memory/3628-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 5530b4e6aaf72cfe99ea9c6c1ed1f0f4
SHA1 784dc118356f45a8086627792e092048cee58f94
SHA256 c5102955e70a471383aa0366f30d892b6846321a5792d0dd9271f7e991e637a2
SHA512 e9b620751df3d639729a0263039b3c5eb4d416bf3b564ec608bc79997e4ed619a00bd0a10639559b8e7495d34a3546e9a6aa1b75d294f7b49b524e4ca3b9d5c3

memory/1008-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4332-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4332-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3628-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2700-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2396-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1008-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2396-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2396-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1008-62-0x0000000000400000-0x0000000000A0E000-memory.dmp