Malware Analysis Report

2024-10-10 08:00

Sample ID 240612-he1a9stamn
Target efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a
SHA256 efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a

Threat Level: Known bad

The file efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 06:39

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 06:39

Reported

2024-06-12 06:42

Platform

win7-20231129-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 3016 wrote to memory of 2204 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3016 wrote to memory of 2204 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3016 wrote to memory of 2204 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3016 wrote to memory of 2204 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2204 wrote to memory of 2676 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2204 wrote to memory of 2676 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2204 wrote to memory of 2676 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2204 wrote to memory of 2676 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2676 wrote to memory of 2596 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2676 wrote to memory of 2596 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2676 wrote to memory of 2596 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2676 wrote to memory of 2596 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3016 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3016 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3016 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3016 wrote to memory of 2712 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2676 wrote to memory of 2692 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 2692 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 2692 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 2692 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1132 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1988 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1988 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1988 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 1988 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe

"C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:41 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:42 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:43 /f

Network

N/A

Files

memory/2216-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2216-1-0x0000000077140000-0x0000000077142000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 8ec2e424c7cf2041832eaac1c8f0911d
SHA1 1f434dbce19729d683e06659a9ce91118d18d3cd
SHA256 f38eeb31e8ca13dabe8b3daed071fad579f7344a29561c4bf9feaa198977bf68
SHA512 e7ad83beb015e423f5bc5e79b2b68c51b818ce412177661263bcf6de960db5f2ded926302f9ccf987c061a91599af4d9a011947cf48d63d0d76a6485d94ea857

memory/3016-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2216-11-0x0000000003740000-0x0000000003D4E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 dd9c73587153a22458e4bf259fbbbf2f
SHA1 133dec4578bf262a07b4819b1f495da31161b061
SHA256 d1e3ef3feed1247c3c755cf74346f92e3c42a2d2c58aa117d587b7791e3fdf66
SHA512 2388acc5a3b06cc51fdfe087b92dd2a2bfe442e3dd6e2f7b48bd86ae9c0eced48253ef3285f9116e7a096c01a2c791924a3d0719c39f90fdd096e235554f91ce

memory/3016-22-0x0000000003650000-0x0000000003C5E000-memory.dmp

memory/2204-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 17467d9a87795354400031e64125a6fe
SHA1 91619a66c0c84ce9cf47e44c4c699daaa8fda3b4
SHA256 d79615bc185993bcbe975950083d0cd68dda7d7b686960a419c7e30cd023885e
SHA512 eaa9564a568d37376125aec81abcb27afdbd3439d09ab8f2ffee58177027b0e575af241a229773c2df78d50fc742a64d02d188aac432e48a1a45598d5993056d

memory/2676-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-35-0x00000000037B0000-0x0000000003DBE000-memory.dmp

memory/2216-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2596-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2596-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2216-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3016-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3016-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2676-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3016-59-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3016-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3016-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2676-78-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 06:39

Reported

2024-06-12 06:42

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 3944 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 3944 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe \??\c:\windows\resources\themes\explorer.exe
PID 348 wrote to memory of 2292 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 348 wrote to memory of 2292 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 348 wrote to memory of 2292 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2292 wrote to memory of 4204 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2292 wrote to memory of 4204 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2292 wrote to memory of 4204 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4204 wrote to memory of 3800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4204 wrote to memory of 3800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4204 wrote to memory of 3800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe

"C:\Users\Admin\AppData\Local\Temp\efb0120a970fa20a853ae1af5fbdb2403e82f0c481352799d753ec4f9ff4056a.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3944-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3944-1-0x0000000077D54000-0x0000000077D56000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 65b4e3f2e5b636c0a79c55f93c5e128b
SHA1 e4f1354761624c420ffe672363b3bf2bb9b1db04
SHA256 08a595e70fe03e0f9589dbfec1ac97c39e21ca1e993704976858285d698b78c9
SHA512 426748c77ef321ae00876364c4e7a614ee3d702d18ad81b7d2cfae8eae0227293080d9ff95bfed89b7a52c536b19b6f21649f049cb670d5ca75714d2dcc22e11

memory/348-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 fddd84f5f2fe8a210b4ff746de0b2f35
SHA1 87ffc750661815f2f41c701688b117e248f596fc
SHA256 fadbfdd360ecd8e3e3a51f4d2e45910fadf7717790cdc4e206a9090704c6f060
SHA512 58745d928925a40339e45d73a892f6f42b7569db0e77c5fed60363f493811888e9c98ebfb377a0a360717d9bc950352da5cd41e345b52430c0c49145098ec72a

memory/2292-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 ca60690dd5d573019833c45c2ce0ce44
SHA1 0f376f3985b545152ca835f41a39fa6c9bbb7035
SHA256 3889c90f7255a968cf83f82a7801d04e9fec0c36120a6a4de69677e71dc97735
SHA512 3043ca2346b3d7ac8655b63ba8d0460ed1fa585d825b789de3e5ac67e3065714b1a29e63dc1f8b13113b3ad9871a1289485e33aa4247490b39d03f3ca6687df1

memory/4204-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3800-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3800-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3944-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2292-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4204-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4204-46-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4204-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-63-0x0000000000400000-0x0000000000A0E000-memory.dmp