Malware Analysis Report

2024-10-10 08:04

Sample ID 240611-yq739azckn
Target 2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71
SHA256 2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71
Tags
evasion persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71

Threat Level: Known bad

The file 2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71 was found to be: Known bad.

Malicious Activity Summary

evasion persistence themida trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 20:00

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 20:00

Reported

2024-06-11 20:03

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 348 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 348 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 348 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 348 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 2064 wrote to memory of 2632 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2064 wrote to memory of 2632 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2064 wrote to memory of 2632 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2064 wrote to memory of 2632 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2632 wrote to memory of 2644 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2632 wrote to memory of 2644 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2632 wrote to memory of 2644 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2632 wrote to memory of 2644 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2644 wrote to memory of 2652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2644 wrote to memory of 2652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2644 wrote to memory of 2652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2644 wrote to memory of 2652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2064 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2064 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2064 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2064 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2644 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 1156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 1156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 1156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 1156 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2644 wrote to memory of 688 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe

"C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:02 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:03 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:04 /f

Network

N/A

Files

memory/348-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-1-0x0000000077A70000-0x0000000077A72000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 0de82dd9554371d31e7c934fe63bca11
SHA1 d54bc5a849bddd8626ddf2921f9828193240be29
SHA256 29e166465e9550bcff9625f79a9a2e2f74af00a318aa19c822e0c415dd8f8072
SHA512 55a5b4f717fac2abfb791b500d31c65c8798a59e141a4d6ee39fa3dd088336225b5925452804c67a129903a89c653a1546b644248ee1d798de079fd2dd2aa352

memory/348-11-0x00000000036F0000-0x0000000003CFE000-memory.dmp

memory/2064-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 5bbea7cfdbc5396265198878b2819856
SHA1 3b96bd20d9c98a5a5765b9ac630a468d08b74257
SHA256 64b29a62e7446b5c559788bc7f464696201cdfe0c70cae46e5d4557a5003dd09
SHA512 7963c0f9b0f94e17ec4af5add8b044909831e472e4bbf2ec0562334a4278e8941af2f1b5a7b857875cccc91d916fa516b2f375205b3f298f4b501e7553bfea3b

memory/2064-21-0x00000000036A0000-0x0000000003CAE000-memory.dmp

\Windows\Resources\svchost.exe

MD5 1d70f58621fd3f6e2299e6b39adfe838
SHA1 3511362661c6b9d9c27ff335aab55fd232fcb766
SHA256 8d580f55fd076ecdba449fa1a6a05c11a79cc51d18089df8ec60f66fa93e99a1
SHA512 8500f2dd438e10663a26e0c2b090a965ea97e24f73fd0fd5749d34221874dff841188cd50e5282fab4e3aa6c25aad984db48e6e941ee3336c3906a9af989482e

memory/2632-34-0x0000000003630000-0x0000000003C3E000-memory.dmp

memory/2644-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-44-0x00000000036F0000-0x0000000003CFE000-memory.dmp

memory/2652-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2632-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2652-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/348-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2644-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-71-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2064-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 20:00

Reported

2024-06-11 20:03

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 736 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 736 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe \??\c:\windows\resources\themes\explorer.exe
PID 4496 wrote to memory of 3528 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4496 wrote to memory of 3528 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4496 wrote to memory of 3528 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3528 wrote to memory of 4392 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3528 wrote to memory of 4392 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3528 wrote to memory of 4392 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4392 wrote to memory of 4864 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4392 wrote to memory of 4864 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4392 wrote to memory of 4864 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe

"C:\Users\Admin\AppData\Local\Temp\2aada5ee5e6f67863aa618d5bbd53e0c0f4294f7f81e377bb24de4388f8e1d71.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 28.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp

Files

memory/736-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/736-1-0x0000000077CB4000-0x0000000077CB6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 e357c198e4cddf9e7315f87e097ee406
SHA1 5929582976af71180421d5951c9dc9eef13d2e3c
SHA256 64f5283f7216a1c462846a317f77588851b18bfed7dcdc100df7790127c01537
SHA512 98538eff09c8bc7b1cace1f3b02e929fe64c709cace9fdc9088d61816487e14eff92ac88381f7ec86af4b93a3add3d8824fa304d34e653d77061630f301356e9

memory/4496-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 16d924c670ded151b376d5165fe06239
SHA1 dd8163df6712687db27f5aca7dd088183e369206
SHA256 6b9d38d5b33b035f06820672ce5a0755bdb471c579cbee3e56d86ed99149ab54
SHA512 9b57e1b0ae820b89f519ff5ef20becb5c911ef7172eb44707d5c94599f1d6bf7eda2dc7d9e72d45cd48eab335547901688e005ec89f2808cf0aab32db3e7fd85

memory/3528-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 729fdae4f978753a68daa4dc15f492a8
SHA1 ebd358abc9507519f13d0ad4e7088dec39195601
SHA256 4b0b89534eee7a4a77d71de54f2404aff933854e61da64da7a4ac72686110d5a
SHA512 d8ab38fe4e621f23401eebc9dfe8279e563051e1ecf58bdcaec9cbe99062afd39146519ff1d3802bce9fc4a738fd40cee34589ee82afd05d8d396a065082d6fa

memory/4392-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4864-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/736-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3528-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4496-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4392-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4496-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4496-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4392-61-0x0000000000400000-0x0000000000A0E000-memory.dmp