Malware Analysis Report

2024-10-10 07:58

Sample ID 240612-dbhjtszamd
Target b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6
SHA256 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6

Threat Level: Known bad

The file b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:49

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:49

Reported

2024-06-12 02:52

Platform

win7-20240419-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 2444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 3000 wrote to memory of 2808 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3000 wrote to memory of 2808 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3000 wrote to memory of 2808 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3000 wrote to memory of 2808 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2808 wrote to memory of 2652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2808 wrote to memory of 2652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2808 wrote to memory of 2652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2808 wrote to memory of 2652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2652 wrote to memory of 2708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2652 wrote to memory of 2708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2652 wrote to memory of 2708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2652 wrote to memory of 2708 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3000 wrote to memory of 2692 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3000 wrote to memory of 2692 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3000 wrote to memory of 2692 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3000 wrote to memory of 2692 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2652 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1644 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1644 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1644 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1644 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1520 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1520 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1520 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 1520 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe

"C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:52 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:54 /f

Network

N/A

Files

memory/2444-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2444-1-0x0000000077E30000-0x0000000077E32000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 00788ff7a0902e96f8683df5f72d542d
SHA1 3ef66edde5964b41a0990bd778caf0fb853ccbbb
SHA256 cb9927162b1203811170fc22dded663f8da12c911d6c1b119751138402ab1811
SHA512 7d838e83901e64042b427b769effb9074a6bde0dec66e94252eb1fe0f9b3e4de2934b903bb738b7eb6929841be1b80e59b75ae71b038b905c5d460fb93e0bacd

memory/2444-11-0x0000000003770000-0x0000000003D7E000-memory.dmp

memory/3000-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 558da7f5602df12109718183b543070a
SHA1 a7ea5997117f1d499468a85ed812abcbc1828545
SHA256 531d343279943dc74a3f8d94459c2f576b7dcbebcdcd9b90c65542bd5e6d7229
SHA512 e7a34d9893a40167480ee40f58a91366ef3aed3365ddac6f7e2eaf37551c65d1a46ec2f360a64f15df9bd377bd596550b61aebb8c5f92dd9a435248971d4ad28

memory/2808-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3000-23-0x00000000038A0000-0x0000000003EAE000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 25fd0919c5f976a7018db1d3d74bf512
SHA1 c5636c19231b1b9e469fd5a6d38cc9009a936557
SHA256 17bb75b74873a5fa057e13f359dc52b11947943c60064bba8c4e80de40642ee5
SHA512 19e3b35a60993351c526bd962be29f6c54fae7a754a56b44e9593b83943af7718f67b01300dfa71cfc92e696f2408320e3b12e77c9b1e37476d3e89707aa26e3

memory/2808-35-0x00000000034D0000-0x0000000003ADE000-memory.dmp

memory/2652-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2708-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2652-43-0x0000000003200000-0x000000000380E000-memory.dmp

memory/2708-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2808-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2444-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3000-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2652-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3000-55-0x00000000038A0000-0x0000000003EAE000-memory.dmp

memory/3000-58-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3000-64-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3000-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:49

Reported

2024-06-12 02:52

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 1340 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 1340 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe \??\c:\windows\resources\themes\explorer.exe
PID 4308 wrote to memory of 796 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4308 wrote to memory of 796 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4308 wrote to memory of 796 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 796 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 796 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 796 wrote to memory of 2688 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2688 wrote to memory of 696 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2688 wrote to memory of 696 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2688 wrote to memory of 696 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe

"C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1340-1-0x0000000077E14000-0x0000000077E16000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 4e89ee3b9837d2952cce13a817f49ea7
SHA1 36711ba996a06fb5b8a8478b7c1401f9828f1d47
SHA256 84a4849ec7116e602734fdb983778fa487203bae18b3b47c0bbbcf835962796c
SHA512 8c999002b6b1f308bdca12cc990080c781345c3849c31371798b92581e8f272b1d5ef98a8c8f4e2374a9c28c35960277a04dea9b520494bd4ec8d88e4c73ae87

memory/4308-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 3b3b2a475df8a63d3bcf295a14c97277
SHA1 c59d11eff430d3f7468ddfd0b55dcde56cb68ff7
SHA256 30c56bc39d95bf8a0e3dc7d8af1f8f9fcd8c54cc23b08a2762a3bfc71717ee61
SHA512 0a033d04986961f389f33b1dac72ed056b55255e25825db0c78bc1de4088a25331824792fffed3f8c5ee2d7cda5884ffd4af41658733fd684865e542cf3766b9

memory/796-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 4434e485c9ae8e8e1f92be609df63c2a
SHA1 e1cf16bbc75283d4581100c8665418a287a29f4f
SHA256 a25bceecfb46da109ea5ae05b449fe58e3b5d8ec65cc6221fc34202e04c57a63
SHA512 7dd41bda94d0d7b7d9adeb0a6b41af6197f362673b4a0f393b3309253c8b77dc720ad641a615dcb394d948cac214a12c5a036b27442e0853fb55e3ccce44f1d2

memory/2688-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/696-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/696-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/796-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1340-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4308-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4308-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2688-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2688-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4308-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4308-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4308-63-0x0000000000400000-0x0000000000A0E000-memory.dmp