Malware Analysis Report

2025-03-14 22:49

Sample ID 240406-1rvknaca91
Target 68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4
SHA256 68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4
Tags
evasion persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4

Threat Level: Known bad

The file 68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4 was found to be: Known bad.

Malicious Activity Summary

evasion persistence themida trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:53

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:53

Reported

2024-04-06 21:56

Platform

win7-20240319-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 3028 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 3028 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 3028 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 2164 wrote to memory of 2792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2164 wrote to memory of 2792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2164 wrote to memory of 2792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2164 wrote to memory of 2792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2792 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2792 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2792 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2792 wrote to memory of 984 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 984 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 984 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 984 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 984 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2164 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2164 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2164 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2164 wrote to memory of 2628 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 984 wrote to memory of 2840 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2840 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2840 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2840 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1244 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1244 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1244 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 1244 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2056 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2056 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2056 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 984 wrote to memory of 2056 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe

"C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:55 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:56 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:57 /f

Network

N/A

Files

memory/3028-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3028-1-0x00000000777B0000-0x00000000777B2000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 cb7da6043e38f3a71863ca9bedacc008
SHA1 f49a9182c6055e571c0dc09cb46a5d2912e4c2c6
SHA256 2e17520f30445ed07d1489cc5cb7ddf6530aa735d5850c5ad17e42cf85ea5bd6
SHA512 3aa0bb349a2f83a9c713ffd6ab6b96bb346113ab11491dd3b066d335a7ce9861d3927c483d9bdea6def0469704a27e3438565d660369f294801de29bee1eb7f5

memory/3028-10-0x00000000032E0000-0x00000000038EE000-memory.dmp

memory/2164-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 f1a2fd02376e924883c6334c306750d2
SHA1 4c2e49a06a53696efe9811bcb7918f0fd47af0b9
SHA256 af9917d12bd70cf695731106b99be61def8ef21f638299e288d7690edcd6b999
SHA512 ab16ed414d2dc8cf9cc84b5adad78ca798294b847f7c2adb94f1f0aced426ec3e7c65801bedc71a57f61d4eef825d261e2b6d1839979d8ee89a26076a9ae546a

memory/2164-23-0x0000000003360000-0x000000000396E000-memory.dmp

memory/2792-25-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 a7ccc6de7c99303942877633c31a049e
SHA1 b4056eab7363fa589402d03d75a04297cc283838
SHA256 7c3be92a751c77f761a3a99331191dd1a988ec618265e1575dc0d594943ff7e3
SHA512 26e29e7770a04d182c9749061683433a9dcc530130bc6b888a6565ea1133f359372417f9dec9f35fa2d4ca80a25c7bba3c415f7b7d34f2f09cde850d6132d24a

memory/2792-35-0x0000000003190000-0x000000000379E000-memory.dmp

memory/984-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3028-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2624-46-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3028-48-0x00000000032E0000-0x00000000038EE000-memory.dmp

memory/2624-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2792-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3028-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2164-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/984-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2164-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2164-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2164-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/984-72-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/984-76-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:53

Reported

2024-04-06 21:56

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 724 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 724 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 724 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 2708 wrote to memory of 2824 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2708 wrote to memory of 2824 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2708 wrote to memory of 2824 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2824 wrote to memory of 4872 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2824 wrote to memory of 4872 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2824 wrote to memory of 4872 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4872 wrote to memory of 632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4872 wrote to memory of 632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4872 wrote to memory of 632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe

"C:\Users\Admin\AppData\Local\Temp\68590ba5f2cf85fe527db5355182d998fe2b3a79ae9def4d17af9536a63ee8d4.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/724-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/724-1-0x00000000775B4000-0x00000000775B6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 3da05708172c3927b910c00b692c7826
SHA1 a0a0328923a4c0d2a989ced05bee61cfca358d80
SHA256 9dc1da6f9be2f0a9ddff03d1e358ea8416407335f6eba457f14980798f158750
SHA512 13eb0b3e158557f06643fa6d5be58a22606a76f1d37f0e614235f8c664b303938ebac579d0478962bd56ae1888dbc3d6be1d5f8d39eb29a8faf11d0dc4955173

memory/2708-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 e68b524a318cf2dd86aea0e0c5ce7e32
SHA1 6ba78a73207531fdfa8ec312c79d7319c85198a3
SHA256 a91f4be20f1a0b28b8eee9c568f12766fad232bc5b77785877c11c6032dd5263
SHA512 6e7b5de3db2dd144a151c5165df4019b69fecad8dd7190d75ea8b20b5a7b929d2286087c0e933572ff83f040acf63963478576b8800fb6e6c25a0ceddb0edbf7

memory/2824-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 c4b0d42914004750e64140aa1ec77424
SHA1 4cee0b49ad5f54f712b948e4fea3d2920938a85b
SHA256 3cbb555d0ce0a9c328a4d5617f37d0c6eaaeaec8326484e79d0fb5ca73f5c7e4
SHA512 9c820ec7f17cd6484e7567e41bae45bb8adfc30c3d168461fe831dec621b8989b4bcb0b2c6ce1c60eb3b35fcd8a143981c4558eac00b9d38d68d9f571eac0f1d

memory/4872-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/632-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/632-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/724-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2824-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2708-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4872-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2708-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2708-53-0x0000000000400000-0x0000000000A0E000-memory.dmp