Malware Analysis Report

2024-10-10 07:58

Sample ID 240612-dbtbbszakp
Target b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83
SHA256 b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83

Threat Level: Known bad

The file b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:50

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:50

Reported

2024-06-12 02:53

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 2228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 2228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 2228 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 2240 wrote to memory of 1708 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2240 wrote to memory of 1708 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2240 wrote to memory of 1708 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2240 wrote to memory of 1708 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1708 wrote to memory of 2780 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1708 wrote to memory of 2780 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1708 wrote to memory of 2780 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1708 wrote to memory of 2780 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2780 wrote to memory of 2760 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2780 wrote to memory of 2760 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2780 wrote to memory of 2760 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2780 wrote to memory of 2760 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2240 wrote to memory of 2232 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2240 wrote to memory of 2232 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2240 wrote to memory of 2232 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2240 wrote to memory of 2232 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2780 wrote to memory of 2516 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2516 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2516 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2516 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2084 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2084 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2084 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2084 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2368 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2368 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2368 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2368 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe

"C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:52 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:54 /f

Network

N/A

Files

memory/2228-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2228-2-0x0000000077550000-0x0000000077552000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 30b6c7ab99f38794ff2c4bf732be5445
SHA1 db1263797c6e7a2d2d34053393edccb3b9f76866
SHA256 0a3ad8f3abe182d6610099e52ab2fd23cb1e7f201ed6f4753b38201fcb16d225
SHA512 0a6ac03b1f4baeaa9393b5b725bb3efd05c45bd1124c4557cf241113607d03b1f2e80900b9a44bbd431f2c02e08639a2db174a02e68ec82fb2203bd7eab13560

memory/2240-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2228-11-0x0000000003700000-0x0000000003D0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 d3ff53fc3ad181a235511f86369aea2d
SHA1 a91d97c74ad297aa2b9c32491f1cbe33e21f1928
SHA256 ad4653f8ff5a0916a70591e7fc3fc0e2ec961f7bbf802e14c2373cd01bbbac29
SHA512 022f496da01461e7bdc2354f69291a565d5419920ce4dbaa720dc2a3148efe4d7e9779136ed7c191a7a0b3986b0adef6e8b6571418c6162d096e6af8916c7801

memory/1708-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 22efb7ef7e9b64e2214573f4a542cccd
SHA1 256c8f99e1a9e0311d61119b279312d16a750d6f
SHA256 3336b4ca7fa8901ae5d98ea0d71c27efef4bef27156c69eff966c6ca7c476c87
SHA512 9c8783242875b9147d4d6724fa69a570808efc6370ab1f13042d7eab44036b6076c10b9b919183cf82a6428a221afe717708400e08ccbbcb5d15e043674b55ee

memory/2780-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1708-34-0x0000000003720000-0x0000000003D2E000-memory.dmp

memory/2760-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2780-42-0x0000000003140000-0x000000000374E000-memory.dmp

memory/1708-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2760-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2228-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2240-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2240-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2780-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2240-55-0x00000000038A0000-0x0000000003EAE000-memory.dmp

memory/2240-64-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2240-70-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2240-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:50

Reported

2024-06-12 02:53

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 2328 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 2328 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe \??\c:\windows\resources\themes\explorer.exe
PID 3676 wrote to memory of 3056 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3676 wrote to memory of 3056 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3676 wrote to memory of 3056 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3056 wrote to memory of 1444 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3056 wrote to memory of 1444 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3056 wrote to memory of 1444 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1444 wrote to memory of 3888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1444 wrote to memory of 3888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1444 wrote to memory of 3888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe

"C:\Users\Admin\AppData\Local\Temp\b1d7c1f4c25d5c366757ef8d110875d1183d7ae82b63ed23817c770c6d458c83.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/2328-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2328-1-0x0000000077254000-0x0000000077256000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 e16ab5c16664a09250adc355c18f2f11
SHA1 cc5e0052b4e1403df99e342f0547515e0f22bd75
SHA256 d6da6eec897aeb2fb729ee3b440e396653aec59f3108712758233be306f9cb62
SHA512 7c0fe2a89d82bffcb3815a6fe941d139499cfa9e60e625697dd3501c1058d0e3b2deb504dd2ce32d9983cb733bb1bcc03f826d88ffb9b44877cc0aab327653d2

memory/3676-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 aa090a466b8052f36bff9225d3aaccaf
SHA1 5c1f326735965e4361331412b5e78c0eb70f5dfc
SHA256 066abfaaf22bfd6eb00433ae009e92e9f7b7c60f528cf0650f69346b9e28e7ee
SHA512 e7065815d6f96374116c8de1de6f44595944f2a4bd281a7ce771a1d4331b2990ae9004045e16eddcc1fba462f81df22596cbe250cec8f8b3c453ee5bb838e76a

memory/3056-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 13d0ae75e86405873bd45bfaaee0d6e3
SHA1 d959e5dfa456cd94d0893a1094b362f2f1016467
SHA256 1661dac89fa67d046f411503fdd8ba69d9d4c2459c455c291092f9535d06b4d2
SHA512 952891ca98cac8d66ad50157f4e6e58178c1d71cf5a91fb15e8eea38f3414c00d4323d159e0dda3aa20cb19a73b7e19a3b1cd79ee09c02efaaac2519eebdea3a

memory/1444-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3888-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3056-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2328-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3888-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3676-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1444-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3676-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3676-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1444-62-0x0000000000400000-0x0000000000A0E000-memory.dmp