Malware Analysis Report

2024-10-10 08:02

Sample ID 240611-1j445asgkr
Target 4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a
SHA256 4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a

Threat Level: Known bad

The file 4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 21:41

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 21:41

Reported

2024-06-11 21:44

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 2864 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 1760 wrote to memory of 2984 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1760 wrote to memory of 2984 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1760 wrote to memory of 2984 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1760 wrote to memory of 2984 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2984 wrote to memory of 2556 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2984 wrote to memory of 2556 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2984 wrote to memory of 2556 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2984 wrote to memory of 2556 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2556 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1760 wrote to memory of 2760 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1760 wrote to memory of 2760 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1760 wrote to memory of 2760 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1760 wrote to memory of 2760 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2556 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2328 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2328 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2328 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2328 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe

"C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:43 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:44 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:45 /f

Network

N/A

Files

memory/2864-0-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2864-1-0x0000000077810000-0x0000000077812000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 b262e6f2e5752cf5f8fa1381027ba504
SHA1 09c9bcd54617de0b52c32eaa93737d56b7241fa3
SHA256 7e6e5573366f2d9d35745e60182392242794be2c617d501ffd427e45399e3249
SHA512 1549e329e7cfaf0f711051af7783de07393e25c21076322210ad039fe5e3c855ef29e9cab4e23c214f33507c68356298ccbc052e14dda2ae99b174ce32e951a3

memory/1760-11-0x0000000000400000-0x0000000000A60000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 c378f266a2d033c2734b372d5f2dfce3
SHA1 3d7dfabdbdd98075f9f22ae7a5379e5331050df7
SHA256 c899576f2479a7c1e73d231c715216a071495babaf40a21cdc71dc18ddb12933
SHA512 73816fda3e20941c3c67ed953d6af20cf9d9ecf0b57373777237eab2f1e1918d2bf4bd98efd06f75cd0fd4d21f6e6da7fb98948dcbc134fc81bc15bd16e9a1b2

memory/2984-23-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/1760-22-0x0000000003720000-0x0000000003D80000-memory.dmp

\Windows\Resources\svchost.exe

MD5 c6a7852fb51a7bae96fb4302791fb114
SHA1 d1dc3edabcfa71959d974ef815e7347b6a02e0ca
SHA256 ca8611542e29d60c0685c4ddcd48f903452e0f9f05785127df1016831d7dc1e0
SHA512 6248d24bd7e0ecfa5bda045d7d22b81a6dc3e649206e8c783bed200453f6066aa971c8869529d14a33aa9e35339d2ef1df0c3347a9dfce24e97ce3655d80dd4a

memory/2984-34-0x0000000003810000-0x0000000003E70000-memory.dmp

memory/2556-35-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2864-42-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2864-44-0x0000000003770000-0x0000000003DD0000-memory.dmp

memory/2564-43-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2564-48-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2984-50-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2864-52-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/1760-53-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2556-55-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/1760-54-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/1760-60-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/1760-66-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2556-71-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2556-77-0x0000000000400000-0x0000000000A60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 21:41

Reported

2024-06-11 21:44

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 4656 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 4656 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe \??\c:\windows\resources\themes\explorer.exe
PID 3008 wrote to memory of 1336 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3008 wrote to memory of 1336 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3008 wrote to memory of 1336 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1336 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1336 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1336 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2656 wrote to memory of 4676 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 4676 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 4676 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe

"C:\Users\Admin\AppData\Local\Temp\4bf98a0866632253ac02c2f1cf8458a67da8f675bdb6895e104a723e9f8f496a.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4656-0-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4656-1-0x0000000077814000-0x0000000077816000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 c0add2013d12cdaa7992160b19350d76
SHA1 ddce55634f16e3c9eff12cb7086413b82ea51edb
SHA256 f620341321eea0c8ee0bc50ca2382faf0c13bf1a231d53e307f98e23b4cd2d4f
SHA512 22257bb2930767b33064d48caa67bef05f827dcf7f1b0f4784ae2d87b35993a1b1b96725af246d0221c57f255e8724e39fcd271fa54ef8bcdc67f321dcf2ec39

memory/3008-10-0x0000000000400000-0x0000000000A60000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 d227d6180ab63de477144ca31b194f56
SHA1 93d380b04daa08ce8e7e3f29fa09bc65f92bf912
SHA256 885cc245e52a5c1880e8705d57933f3069b96e9f761357d72cb6d031008cab23
SHA512 b6a120afb266ad83d7fd072fdb0631defc16fc8ca856d1f71102aad015eed3b987eb791234bd8d2f378ac9226839e5aea6c86b01374b8814154d7eae0e4b5f6a

memory/1336-19-0x0000000000400000-0x0000000000A60000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 6a4bbdf5e7a204483cbaf36d2d81bf47
SHA1 6bd77d4160806a3c2f3c5d03b56bd072b1408e1e
SHA256 2005570961f4dca6441147fee886580878d65e327ef5dc4fbadbf07276d35035
SHA512 75e8c0f1af3e7520914a049f4cd2cb6c711ba095719cfd5934e13d0fd543435faaf63813843d2aad51113349d0c62bbe1a4af3a799be3c22bbe4b8d4b224d009

memory/2656-28-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4676-33-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4676-38-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/1336-41-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4656-42-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3008-43-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3008-45-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2656-44-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2656-51-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2656-55-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3008-56-0x0000000000400000-0x0000000000A60000-memory.dmp