Malware Analysis Report

2025-01-06 10:59

Sample ID 240603-ff7evsdc63
Target e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5
SHA256 e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5

Threat Level: Known bad

The file e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:49

Reported

2024-06-03 04:52

Platform

win7-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine \??\c:\windows\resources\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 2604 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2604 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2604 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2604 wrote to memory of 2924 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2924 wrote to memory of 2376 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2376 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2376 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2924 wrote to memory of 2376 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2376 wrote to memory of 752 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2376 wrote to memory of 752 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2376 wrote to memory of 752 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2376 wrote to memory of 752 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2604 wrote to memory of 2740 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2604 wrote to memory of 2740 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2604 wrote to memory of 2740 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2604 wrote to memory of 2740 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2376 wrote to memory of 2104 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2104 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2104 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2104 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2648 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2844 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2844 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2844 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2844 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe

"C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:52 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:54 /f

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2188-2-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/2188-1-0x0000000076C40000-0x0000000076C41000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 7d1ca9c434b726bede74240a8e59d61c
SHA1 2bbc8f7d122356a885935cc235ff85b0e6a9232b
SHA256 81e170025c80c75f9fc4b36c3f2a39d8b619db9beebd3584b80120de0281b620
SHA512 3cd3da5aba120f38e163a1035845ca603817e84f85044d8e45fe4fe1d95e5f6b4fa9a2df7ae87b59affb19044e0a12bc2b1a9f8de98d5cbe2f633b15e8e1db6b

memory/2188-16-0x0000000005690000-0x0000000005B03000-memory.dmp

memory/2188-15-0x0000000005690000-0x0000000005B03000-memory.dmp

memory/2604-17-0x0000000000400000-0x0000000000873000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 0e8efbc8ed48590cfd14e672c0b9cd3f
SHA1 4c78ba5f6b85c47e6a302f640250e296a8cbde62
SHA256 d4c2084fd9616a7aeb3df40e0d6b50a703c7b4fa3fd222055112c17a7f56e922
SHA512 97c69b2848489c3fe5464f9e9ee298304e71514af8c8ed47c6a2d3fbb872ee9d23ba5f86c68503d77e886131038e8c9d2bdf0010cfab475b95ddf92763495316

memory/2604-30-0x00000000056C0000-0x0000000005B33000-memory.dmp

memory/2924-32-0x0000000000400000-0x0000000000873000-memory.dmp

\Windows\Resources\svchost.exe

MD5 d06e09ccdce74fd7840708ec39751d8e
SHA1 d5b8724478326e8aa7f8a6ccb4ac5bd8194ddffd
SHA256 c95991da137c5ae3787f79b5712a7a60bf506dc5896d666762795ec606b9a60a
SHA512 b6cdc07e8a9eadb738941e317f90b374e89bd7d2d84196ff25e356137b7241a327068935c587a23541f3f7d561789eba32fd31b28a0ce1cdf7adfc5d5cca0dc9

memory/2924-46-0x0000000005540000-0x00000000059B3000-memory.dmp

memory/2376-48-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2924-47-0x0000000005540000-0x00000000059B3000-memory.dmp

memory/2376-57-0x0000000005220000-0x0000000005693000-memory.dmp

memory/2188-55-0x0000000000400000-0x0000000000873000-memory.dmp

memory/752-58-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2924-64-0x0000000000400000-0x0000000000873000-memory.dmp

memory/752-65-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2188-68-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2188-67-0x0000000076C30000-0x0000000076D20000-memory.dmp

memory/2604-69-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-70-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-71-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-72-0x00000000056C0000-0x0000000005B33000-memory.dmp

memory/2604-73-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-75-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-74-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-76-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-77-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-78-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-79-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-80-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-81-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-82-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-83-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-84-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-85-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-86-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-87-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-88-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-89-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-90-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-91-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-92-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-93-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-94-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-95-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-96-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-97-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2604-98-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2376-99-0x0000000000400000-0x0000000000873000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:49

Reported

2024-06-03 04:52

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine \??\c:\windows\resources\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 648 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 648 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe \??\c:\windows\resources\themes\explorer.exe
PID 4216 wrote to memory of 1256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4216 wrote to memory of 1256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4216 wrote to memory of 1256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1256 wrote to memory of 4064 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1256 wrote to memory of 4064 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1256 wrote to memory of 4064 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4064 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4064 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4064 wrote to memory of 1872 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe

"C:\Users\Admin\AppData\Local\Temp\e28d7ffda9222b82ad77d66cbb86f23ef50425486ab68c6a531ed8393951c5d5.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4480 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/648-0-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 f45e33ed7d9e40ed7e10dff2b0b13a2c
SHA1 458a9239de57e9ae6ad3c634bd4cef8205de6e0e
SHA256 d9a3a8999f1423d2273626255839f0f33141c2d43c80da768904bc92e76bd379
SHA512 568e59d1335df112f14c2abe0c38d549fb8f6ea119c09db9095d3042125c8449591ceb120a69f5c9791673f44f9921a049c82434a053eba06eba9b52d7591052

C:\Windows\Resources\spoolsv.exe

MD5 683eaac0040326ff177e0f1c47925147
SHA1 1fe7d8623a89f985bb8bc010a3da73544c4bc050
SHA256 d9db8dec9afd23e1bdd98939070cd3f3cebc7a30ec9dc90035fd964d26bd2b60
SHA512 913dc55aae28eb507d98dcf0606ec7b9a793418d27f983d8d749214eb53f6c487df1eede1d67255c0f47a10a4ab64adb5a55959aa24df039047d5e4b487aeac5

memory/1256-17-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 7d43313e45a2e9510882a98ff0e2ed93
SHA1 efa50d1eb9a3398b8f15385b21d06a105d93e2ae
SHA256 ddb8db0b1a1cfafd730facecabd429d4fbcc018390c8074203923a870fd8e529
SHA512 4591e99c800b5891dd174a44fe3b7a713623355180764332a334c7d8bcc119731bd7ca53d303776d3201bceefe9f0872ca8e3f5e8d2e9d9fbd30a1c493ed15a2

memory/648-30-0x0000000000400000-0x0000000000873000-memory.dmp

memory/1872-31-0x0000000000400000-0x0000000000873000-memory.dmp

memory/1256-37-0x0000000000400000-0x0000000000873000-memory.dmp

memory/648-39-0x0000000000400000-0x0000000000873000-memory.dmp

memory/1872-38-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-40-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-41-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-42-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-43-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-44-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-45-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-46-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-47-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-48-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-49-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-50-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-51-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-52-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-53-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-54-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-55-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-56-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-57-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-58-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-59-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-60-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-61-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-62-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-63-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-64-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-65-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4064-66-0x0000000000400000-0x0000000000873000-memory.dmp

memory/4216-67-0x0000000000400000-0x0000000000873000-memory.dmp