Malware Analysis Report

2024-10-16 07:00

Sample ID 240609-mxn36shf3x
Target d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879
SHA256 d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879

Threat Level: Known bad

The file d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 10:50

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 10:50

Reported

2024-06-09 10:53

Platform

win7-20240221-en

Max time kernel

124s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 1996 wrote to memory of 2572 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1996 wrote to memory of 2572 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1996 wrote to memory of 2572 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1996 wrote to memory of 2572 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2572 wrote to memory of 2476 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2572 wrote to memory of 2476 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2572 wrote to memory of 2476 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2572 wrote to memory of 2476 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2476 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2476 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2476 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2476 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1996 wrote to memory of 2420 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1996 wrote to memory of 2420 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1996 wrote to memory of 2420 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1996 wrote to memory of 2420 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2476 wrote to memory of 2448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2900 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 856 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 856 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 856 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 856 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe

"C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:52 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:54 /f

Network

N/A

Files

memory/2860-2-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-4-0x0000000077680000-0x0000000077682000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 5441d975397d436a0141b7c5eb77d53c
SHA1 bbff9a108ba557aa9c744952a1323c5946caaafe
SHA256 fa46ab633e4750127647414897f0bd06221fd96046492a24ae8e269705c902bb
SHA512 a26fac53c19491200b7d896580f166e084a89323967a4f6f4d89a5665c9b77737f04680be8e9f62dcd1106f500d7f20a974dea9eb332359ef7831cd83a44c55a

memory/1996-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-11-0x0000000003730000-0x0000000003D3E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 bdb049af53e374778511f7138abdb36e
SHA1 2f4882258edb7ec5781e85f163a8e9bc0cab2286
SHA256 f8a31ce10f0748c9aa031d0eed50437d26cd40dacb57d045487c1e82ff98506d
SHA512 cec53d225b6bc40d49de8c0e4f467820002b1128a89b655049559fa66611e62086357dcfacb59896bbfd83b7a0f130ec9605f860ff5311daf000218189c7a2d3

memory/1996-22-0x00000000037B0000-0x0000000003DBE000-memory.dmp

memory/2572-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 7463708b2e1dee5374cbbe1fa79d6c0f
SHA1 925aec9adb6d8049d6b4afd589d314e08b3fc208
SHA256 a25f8b6475190e1818ebd5023f60bfd7d73394ca1376ce08f809596d081bf454
SHA512 c55921eabd0a4e5881114a131d1d111ad3163f16f8a96849f7fa02c32c6e8c56440aeedc479e68e4eff657b084661a9596cc6106fadc53dfba3c1ed200b3798b

memory/2476-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2572-35-0x0000000003810000-0x0000000003E1E000-memory.dmp

memory/2860-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2640-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2640-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2572-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1996-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2476-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1996-56-0x00000000037B0000-0x0000000003DBE000-memory.dmp

memory/1996-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2476-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2476-80-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 10:50

Reported

2024-06-09 10:53

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 4888 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 4888 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe \??\c:\windows\resources\themes\explorer.exe
PID 4324 wrote to memory of 2776 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4324 wrote to memory of 2776 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4324 wrote to memory of 2776 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2776 wrote to memory of 4612 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2776 wrote to memory of 4612 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2776 wrote to memory of 4612 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4612 wrote to memory of 3296 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4612 wrote to memory of 3296 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4612 wrote to memory of 3296 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe

"C:\Users\Admin\AppData\Local\Temp\d68a95d3261a2cab1f4df507df39b6a7911c67cc0333362fff36f01c23a3e879.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4888-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4888-1-0x00000000778E4000-0x00000000778E6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 f40a76818232bb0e2eafd8263cb89614
SHA1 cd4948df94cd067a264a5353dc29795d6b55ebaa
SHA256 4670e7fd2479b4a3200186c1a7011ed65ae16925d2103d4a80d75899fd097904
SHA512 d0c72f49b3c9f9d3cec0a0dc142acdd335d82b843cb673c4564056994e429b99ef64a0bfce9c3199f239a6d68fee86cafdb4f3da145e63f51f96420a0a99d9a1

memory/4324-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 288d084162a242c193e48b915e05eb19
SHA1 eb9d179cf5506d9d6c12006461c200cbf9260077
SHA256 9c0f7c35584b466ea280add989a9ffbb195c5b791b6b54cce2c959dc5922fe02
SHA512 dd6a199229d0a7d055dca87c85c47102de6ef6f9d1ffedc0b6e3f667b80db7743fd82bfe72b56fcde39cfd098ded49383988bb2c652e4ac993cfccd2ea63514f

memory/2776-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 4deec214943e86c0ed66c8eb02f510fe
SHA1 0d8a4b02332fd127d47fffdc978eb58c48791559
SHA256 439d9b14c20a251ad50344f58ba321681869ab48e0497fffb3dbec68d358e493
SHA512 98bc6ed07e66713544375fa8df9ed768a9c6e97147a0997e3af42b4d8e4e27eda3affea6dab9b7d7897e27e3cb64720a0a307a251df67e8d9d0ea73345bbd691

memory/4612-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3296-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3296-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4888-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2776-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4324-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4612-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4612-46-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4324-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4324-63-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4612-68-0x0000000000400000-0x0000000000A0E000-memory.dmp