Malware Analysis Report

2024-10-10 08:02

Sample ID 240611-x43j9aycpk
Target 1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f
SHA256 1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f

Threat Level: Known bad

The file 1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 19:25

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 19:25

Reported

2024-06-11 19:27

Platform

win7-20231129-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 888 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 888 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 888 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 2356 wrote to memory of 3020 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2356 wrote to memory of 3020 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2356 wrote to memory of 3020 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2356 wrote to memory of 3020 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3020 wrote to memory of 2588 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3020 wrote to memory of 2588 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3020 wrote to memory of 2588 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3020 wrote to memory of 2588 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2588 wrote to memory of 2644 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2588 wrote to memory of 2644 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2588 wrote to memory of 2644 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2588 wrote to memory of 2644 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2356 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2356 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2356 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2356 wrote to memory of 2560 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2588 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2624 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 1680 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 1680 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 1680 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 1680 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe

"C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:27 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:28 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:29 /f

Network

N/A

Files

memory/888-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/888-1-0x0000000077E40000-0x0000000077E42000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 6747c7fe7e448219551c1bdf84f082e4
SHA1 79423943d9c13a6139ef0b09e993fc3961d49956
SHA256 cac0641596f2bc440aaf6266a48ab31acf337cec321cc4442b7c99739061b076
SHA512 3c4217bc08914e72bfd82bb0fb0c87f6e875b40598ba84d29a193e8acfdd4a96beee3f888fc6dace32128c8d196e8c7da976539560dfe216d825749af4e1248f

memory/888-11-0x0000000003770000-0x0000000003D7E000-memory.dmp

memory/2356-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 a126d9ee8f4000ca13282b2775c22431
SHA1 1f1236dedec21a18b5ffc0f23a25bdea5c4d5396
SHA256 0022a2bc479056965b713a6e84a7ace63f2f6267014620a8b2e4af59f32123eb
SHA512 4d8be0122ab480863743581e92dcb4cceb1132ac3ebe3ae9907038e1c746274473a35bfc0616ae66f00594a08001393dcc4536704a976450d2c00193fbac39cd

memory/3020-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2356-23-0x00000000037F0000-0x0000000003DFE000-memory.dmp

\Windows\Resources\svchost.exe

MD5 548e25c1f9285c990c5e85a0cee7930d
SHA1 0d90c4572d0ee038cf39fda60f9a680da9a51866
SHA256 88f8ba7c12fa60ca9b91f2a806f5b98a2dff46ec57b2327afcda1ed935e306d5
SHA512 e51c324dc247da4b02062445c91d35eaf003ee7844500bd8ac08c5b1504c901ff871532dbf880d3b880efc795775eab7faf59bdd31d0321d133cae48a5e81f89

memory/2588-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3020-35-0x0000000003720000-0x0000000003D2E000-memory.dmp

memory/888-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/888-44-0x0000000003770000-0x0000000003D7E000-memory.dmp

memory/2644-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2644-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3020-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/888-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2356-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2356-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2588-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2356-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2356-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 19:25

Reported

2024-06-11 19:27

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 4468 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 4468 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe \??\c:\windows\resources\themes\explorer.exe
PID 1716 wrote to memory of 980 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1716 wrote to memory of 980 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1716 wrote to memory of 980 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 980 wrote to memory of 1004 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 980 wrote to memory of 1004 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 980 wrote to memory of 1004 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1004 wrote to memory of 3252 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1004 wrote to memory of 3252 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1004 wrote to memory of 3252 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe

"C:\Users\Admin\AppData\Local\Temp\1f3ed61fb8ce1387f60463558e4ebd4b1dbecf361ed48309b0254a7d4903736f.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 179.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4468-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4468-1-0x00000000772A4000-0x00000000772A6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 fbcf3c6a8c5606f7e35f08b5fdc4bb8d
SHA1 186ef5d4bd7a5bcb6f6010d40fe81f6f340d7031
SHA256 5be928cec32b1ca8baafa6aa1a95cb7eedbcbc6f09dadf2d4cc5245a69215cec
SHA512 69be5ba24f4a0ac3cd8c78bc814dd771f37717ceddeaae16915110295a20fcc25d198c4fd087d05b138ddfcb0781878f56bc3bd988515ff036626cfb9d7a415e

memory/1716-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 4c0684046e7f1d4126e4db6fb8cb03f8
SHA1 3f95104319048e9c627317c846e32dfc16de908b
SHA256 29eb27ef4af4e6448c6b6233eb577490c156c085a42a68964312e19882620280
SHA512 63c7f4e9ed344ab1a80ce73deccb66db5eae87ae8e42eb2e3a7b215a99c10b82d12700d25438e12e20c867f7ab4ce25f1040280181ffc75054f9daa902924e9a

memory/980-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 5e866d4b1f810c27d83bb6704241d11a
SHA1 b031e9cf5986af20a4b0b5055e46b914d273cb5d
SHA256 3016d05d494044fa1229b31321dae05f408aee4eb8a9c22ec8177677f07807bf
SHA512 41229e442dc8d5d26b219ee663756cdd0de88962a620a407e74449165681a9cec966cbe6c4ed651472635a7e5a6943e0584d1d6a60c33204cc0ff83075077b57

memory/1004-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3252-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3252-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4468-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/980-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1716-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1004-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1716-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1004-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1716-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1004-63-0x0000000000400000-0x0000000000A0E000-memory.dmp