Malware Analysis Report

2024-10-10 08:02

Sample ID 240611-y1rt1szflb
Target 2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b
SHA256 2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b

Threat Level: Known bad

The file 2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 20:15

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 20:15

Reported

2024-06-11 20:18

Platform

win7-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 2960 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 896 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 896 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 896 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 896 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2628 wrote to memory of 2744 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2628 wrote to memory of 2744 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2628 wrote to memory of 2744 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2628 wrote to memory of 2744 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2744 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2744 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2744 wrote to memory of 2540 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 896 wrote to memory of 2556 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 896 wrote to memory of 2556 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 896 wrote to memory of 2556 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 896 wrote to memory of 2556 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2744 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 316 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 316 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 316 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 316 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 348 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 348 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 348 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2744 wrote to memory of 348 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe

"C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:17 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:18 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:19 /f

Network

N/A

Files

memory/2960-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2960-2-0x0000000077C20000-0x0000000077C22000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 e81356ab83b7e65c58623eddf0b002c2
SHA1 a9f9c4c03d9577cc8a1e2b9c020e6f449004dfc0
SHA256 c08a529d16695136ff239688809321df46933a2d8ff4cd0a2bc1eda72699a66a
SHA512 a648651f70c433722ed0181500d304319d48087c878bd0fe0a5cc3b452250a4fc3de41817b97ab1fb71642ff0629ef7ff3ce913c16e8d77f68044aad6d690928

memory/2960-11-0x0000000003640000-0x0000000003C4E000-memory.dmp

memory/896-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 d5083ddcfb9fa241e1a62393d5a5f090
SHA1 b33bf17ab8271db08bd229791c3e2b01552bcc60
SHA256 2e6e41b52d28e22cb6ac1e799bb10e97b537f9a4268b75271d819de8d29c0da6
SHA512 ac818a4c3439f7cbc43dcb7ba618c2faba877963b09536f3678db2020944abac2129607a97da5eac99ea0224c4180799036bd1dc27f83960f7599c3a1c7c6b4a

memory/2628-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 36589ec01612a055b1a03db5e4c99142
SHA1 052c9436db18e5f9c72c083515cde59a048561dc
SHA256 d817ff0afa884162110963d7a4cd08ac89ad5a55891fa60aefeb4d21d1265146
SHA512 bb4290216560122a56581b30df15ae794ae127a4c8f738d4d455238cf72b734d2dd12ee545bbbd9c33fe903fc01fd977de572544bafa399e7d8fb82c071b627f

memory/2628-33-0x00000000037C0000-0x0000000003DCE000-memory.dmp

memory/2744-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2960-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2540-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2628-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2540-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2960-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/896-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/896-55-0x00000000036D0000-0x0000000003CDE000-memory.dmp

memory/2744-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/896-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/896-73-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/896-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 20:15

Reported

2024-06-11 20:18

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 4188 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 4188 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe \??\c:\windows\resources\themes\explorer.exe
PID 4420 wrote to memory of 2100 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4420 wrote to memory of 2100 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4420 wrote to memory of 2100 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2100 wrote to memory of 1844 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2100 wrote to memory of 1844 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2100 wrote to memory of 1844 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1844 wrote to memory of 708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1844 wrote to memory of 708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1844 wrote to memory of 708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe

"C:\Users\Admin\AppData\Local\Temp\2fbdd680c86164f6120929d9ef817065f2c55bdee785c2f4ae9e30e01feaec1b.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4188-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4188-1-0x0000000077314000-0x0000000077316000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 297c3a7223214ad60cc058216b253476
SHA1 be79feb452580c2cb401c0e2a04ab2f8a331f6ed
SHA256 2b59d8709abc0934fab06d9fc513045c2f2c5d94c040389c005c797ff6b37c78
SHA512 c3c796feb65c3972162f9fcc1e9ecda892d491ae4e3125579df66ee49c0dfa7119e6788410acc537e513b14abee481ac2b42d0a3ce85a5801a34afc40ccee657

memory/4420-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 e530c4687e8a0a0b9f96bea686680b5c
SHA1 b2f5094a7261670314f018bfa0e4f180a787f295
SHA256 6dc948dcae5afdcf6d8b12483030c48c175baa0dd4b0d2401c335930d87e4d76
SHA512 5fa95ae0e31615af945f59eae879141d5b7619ca1ec2d0ecc1c34e1a432f8782332886191e3c1cec1c010215a5f67371702d71997a913438355da80fd3579cb2

memory/2100-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 2c6453099aad5ff461df9f863ebee789
SHA1 66d50051fc90456249f4ec69aa8bd78c01edc530
SHA256 64dff72c8df0c17daa1e9f698965ca297d93f21ed3cf2feb1436e611795fffb1
SHA512 957f192efb22656dd5a2bd855ee28e6d8775bc29059e793891bb5b5159d266eb09436d96b8702c4c87e3777215907c6bb40a496eb17c7c76dd33b0195e235afe

memory/1844-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/708-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/708-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2100-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4188-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4420-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4420-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1844-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1844-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4420-56-0x0000000000400000-0x0000000000A0E000-memory.dmp