Malware Analysis Report

2024-10-16 06:53

Sample ID 240616-3tqqlaybnp
Target 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd
SHA256 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd

Threat Level: Known bad

The file 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:48

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:48

Reported

2024-06-16 23:51

Platform

win7-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1576 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1576 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1576 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1144 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1144 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1144 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1144 wrote to memory of 2600 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2600 wrote to memory of 2752 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2600 wrote to memory of 2752 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2600 wrote to memory of 2752 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2600 wrote to memory of 2752 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2752 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2752 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2752 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2752 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1144 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1144 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1144 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1144 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2752 wrote to memory of 2160 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2160 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2160 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2160 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 1052 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 1052 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 1052 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 1052 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2456 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2456 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2456 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2752 wrote to memory of 2456 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe

"C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:50 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:51 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:52 /f

Network

N/A

Files

memory/1576-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1576-6-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 e80641e491fd0882bbfd7baaaf81e249
SHA1 a6ba085de48628abdde89886c65988a6cac39f58
SHA256 2d8dc214a051c8eacd7bd3879fc177d1a3c2a55cdaa782c1683339bce9919c85
SHA512 8d37f1d87c1ad68fe38bf4ba8c3927fc9dbde568300020478a060919783204cb146af85c008a69f3eaaef5150211066b6af090c58cdf56bfb13dc9497f49a166

memory/1576-11-0x0000000003760000-0x0000000003D6E000-memory.dmp

memory/1144-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1144-20-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1144-17-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 a64df44eabb624fd052168842f7d5029
SHA1 70bf29220126216e2a6d9b424e325a206614c9bc
SHA256 850b2e4d049005f92a9e3e31f1a5e39ac51a602868c39b2f5ef1394e592a786e
SHA512 b4298bc4a0f53deb16bb08b1c45da6d3a730b9d452630d6f4d9fb32e5df42d3d2faeef0f1d6e406668ac9a864a10edf8c6e30cb12bdd73b1be011b765a15e64d

memory/2600-26-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1144-25-0x00000000035F0000-0x0000000003BFE000-memory.dmp

memory/2600-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 6e28cc56fc81181c8e36bcb3d952d947
SHA1 e6bca1de0464a580cf2662f0f9b0be93a59c2beb
SHA256 80c1eadd5a2f1c412f14cb67bfd9244303f728dcd065b5fce6e52a4e53d207ae
SHA512 c25b323d1999e062032c25c1adb5a4e18d9283c4f617bc6d9cacb83b848319d4a3b1d6d943cef33ca4f7861ed03cbf0012ce778d0ca4a4a68829e1165c6256e1

memory/2752-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2600-38-0x0000000003650000-0x0000000003C5E000-memory.dmp

memory/2936-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2752-46-0x0000000003390000-0x000000000399E000-memory.dmp

memory/2600-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2936-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1576-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1144-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2752-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1144-58-0x00000000035F0000-0x0000000003BFE000-memory.dmp

memory/1144-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1144-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:48

Reported

2024-06-16 23:51

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1212 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1212 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe \??\c:\windows\resources\themes\explorer.exe
PID 1660 wrote to memory of 5012 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1660 wrote to memory of 5012 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1660 wrote to memory of 5012 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5012 wrote to memory of 720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5012 wrote to memory of 720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5012 wrote to memory of 720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 720 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 720 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 720 wrote to memory of 2344 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe

"C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

memory/1212-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1212-1-0x00000000770C4000-0x00000000770C6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 e6b9e4e2f2e7a6c01454ec313abd5418
SHA1 0969cb1e8b2712583475f8c5a89a14bf7ca614c2
SHA256 e1e61c379ff1c4517753c401e8e9e8babbf6f44f1b79cd4bbbf032e6d441df63
SHA512 d4c82670a28f368ebe4eee232e2837a1e85e18e216499c6338c6667c794d6b531d63d3ae761552efead0eb85c32abff6b0521462ed0ffa3b33dda80e0454740b

memory/1660-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 8a60f054b553b69862e4b25fd3e190a0
SHA1 79c30b2d97de9280ca02bd7ab6d4c334d555582a
SHA256 b26bfd058cf7df9d895e60b910cc7ae44f681845b310e544fda0c093f02af574
SHA512 6500bd391128cccbd6019106391b1b76d5ed7f5f18114f850742884f921226ebec895764cc2b5182ff18a5f4659fdbda2e37fd1165018631d9a057931e2a8ef1

memory/5012-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 aa2b9d59f6c736c6d7d4298c1bc7c113
SHA1 1a63d5a06eb4515a2f0b0cf7739187c7f94be68e
SHA256 53a82a8b9d594a77f89458f86f0116e10629827d1087e26f4a449887d470b5e8
SHA512 8b6d1bcfe9965b098bd545eff3b31fdda3ea194533e879ddb970a13469426331b3a31061aa741b59ff89a898a422c8c334e9caa5229d4a89cc906766d66bb24f

memory/720-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2344-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1212-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/5012-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2344-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1660-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/720-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1660-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/720-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/720-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1660-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1660-64-0x0000000000400000-0x0000000000A0E000-memory.dmp