Malware Analysis Report

2024-10-16 07:01

Sample ID 240609-mltjhsab52
Target d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4
SHA256 d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4

Threat Level: Known bad

The file d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 10:33

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 10:33

Reported

2024-06-09 10:37

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 2744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 2744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 2744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 2844 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2844 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2844 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2844 wrote to memory of 2660 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2660 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2660 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2660 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2660 wrote to memory of 2616 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2616 wrote to memory of 2672 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2844 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2844 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2844 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2844 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2616 wrote to memory of 3012 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 3012 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 3012 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 3012 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 2156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 944 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 944 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 944 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2616 wrote to memory of 944 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe

"C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:37 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:38 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:39 /f

Network

N/A

Files

memory/2744-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2744-1-0x0000000077830000-0x0000000077832000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 c28d97f63f8681abe02a7baa90025174
SHA1 eeac8135e6d4173dcc4bfd8836e286d9471770f7
SHA256 ec6a6d0d42108c88c60c2b6ec7c1d501bb4ac80daa9bf98902475e85fb015344
SHA512 8b117487eb5d375bcc0c92c446d7ce9480f397fbb9821822ff1e469b4df398b6dfe3742e0607d698c1c10f0792171b17a98866de34629e3d5d6fd588dfff05b3

memory/2744-11-0x0000000003280000-0x000000000388E000-memory.dmp

memory/2844-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 6582fc098959c89616a9b041ea9b5785
SHA1 32a9e396a614601dc81027c6722ff65c75b4f285
SHA256 c3b4f52272c6743a00b9d0407b9dd9bc95da9d00c01b458428c2c296122dad24
SHA512 ec68ce0bdd42b61e71514bb54c1b5a6bed1f2d09bc6967a211860a0c1abf20ecca297a6792d9f78322f608cfd4a5b5935ddd3d45da11b9758651ad0aa38c6044

memory/2844-23-0x0000000003340000-0x000000000394E000-memory.dmp

memory/2660-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 1ce15cb36ce125af97710500dbbc0a6e
SHA1 166af55740eb98728f61b0304f82f497ddc1de15
SHA256 bfed5f932c17308da5670096a1c56edcf44bff3e884e435d932a96aa81c855cb
SHA512 033a6efb1f5e680f5c1a4853e481a908a4450a1589e02c20535eac39488ceb66983e8ba69ada6fb552a684e197b58fde82a8bde2ab7182b381cc60bd792662d0

memory/2616-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2660-36-0x00000000033B0000-0x00000000039BE000-memory.dmp

memory/2672-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2616-43-0x0000000003390000-0x000000000399E000-memory.dmp

memory/2672-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2660-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2744-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2844-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2616-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2844-56-0x0000000003340000-0x000000000394E000-memory.dmp

memory/2616-59-0x0000000003390000-0x000000000399E000-memory.dmp

memory/2844-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2844-68-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2616-77-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 10:33

Reported

2024-06-09 10:37

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 4060 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 4060 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe \??\c:\windows\resources\themes\explorer.exe
PID 4992 wrote to memory of 4784 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4992 wrote to memory of 4784 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4992 wrote to memory of 4784 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4784 wrote to memory of 4152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4784 wrote to memory of 4152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4784 wrote to memory of 4152 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4152 wrote to memory of 4212 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4152 wrote to memory of 4212 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4152 wrote to memory of 4212 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe

"C:\Users\Admin\AppData\Local\Temp\d24b9025d64bf2f3e09fee7c6c7382ad059b4606ea95ea9d1129ffe3d53cf5d4.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/4060-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4060-1-0x00000000778D4000-0x00000000778D6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 7b9ac5ee7ae7d812ab60c88c682211bf
SHA1 1011adf913f0b3c1e19509c2e8159d071d41bda2
SHA256 f43a8da4ffae327110b34adbbc35b6895113406bf3a7d6317079df2d7d849fe0
SHA512 9cb18358c48bf7604c8ed56251cb3c056b1f737fd3f7a5b0b59f3564fcd588c6b407c780eae57717dc5796c5f65acf236cf942f1dc72d2b96fd73707e319ad31

memory/4992-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 5ccf96443f94058ca3061e260d3449dc
SHA1 f6a362c5c788ef752b84cda617771b89df943304
SHA256 91c3e76c41eda56b1818ef0896a9bcaf4ed3380cfcd35536b081238d12b0e440
SHA512 a1d0d9317b5f0c73c415d80b2c797ac62ae084599c3a546e5e29873c3060f5019c537459ea83c9be55ab868a1a6cf4e4fd76a8212df15f480ce48148749e0f80

memory/4784-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 8873cc821a9f5fa18ee18b03eaf2aa1c
SHA1 2c5acfe3eb74619f579f3e2f0c384a117ebcd9e8
SHA256 22911182305dd4d85c86542a0bcd410bcea9cab92a0cca8b2750519a4f5b874c
SHA512 b3963bbf68a9e920ae44c8c3e34480d7e1d5b57032ea204e2b9068dd178d4dd6a10e235db26966101285024decf08a9152d899210fb102d37082fbdcb3e3c790

memory/4152-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4212-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4212-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4784-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4060-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4992-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4152-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4152-47-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4152-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4992-52-0x0000000000400000-0x0000000000A0E000-memory.dmp