Malware Analysis Report

2024-10-10 07:59

Sample ID 240612-e4qlks1bqh
Target d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22
SHA256 d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22

Threat Level: Known bad

The file d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22 was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with Themida

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:29

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:29

Reported

2024-06-12 04:32

Platform

win7-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2236 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2584 wrote to memory of 2104 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2584 wrote to memory of 2104 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2584 wrote to memory of 2104 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2584 wrote to memory of 2104 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2104 wrote to memory of 2720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2104 wrote to memory of 2720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2104 wrote to memory of 2720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2104 wrote to memory of 2720 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2720 wrote to memory of 2632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2720 wrote to memory of 2632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2720 wrote to memory of 2632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2720 wrote to memory of 2632 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2584 wrote to memory of 2536 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2584 wrote to memory of 2536 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2584 wrote to memory of 2536 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2584 wrote to memory of 2536 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2720 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 1744 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 1744 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 1744 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 1744 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe

"C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:32 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:33 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:34 /f

Network

N/A

Files

memory/2236-0-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2236-1-0x0000000077770000-0x0000000077772000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 60116a0cecb837877fcaa94c870d07f1
SHA1 1fcf8ce507d253719e61453b11f8816d3ef173a2
SHA256 fed463bede3fb19f77de339fae8c68c81b3159907146c850d9849d38ff2136de
SHA512 910a69e7a0cfd9848b088f4003bad20de178f9ed3cf7119393f62f7c7b84f2056776fc74e2fa95533d85b2164062b0d3d315b7945a64de3432ac36e1bfe47afe

memory/2584-11-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 3977854b0c4d332e281da52fa9169c89
SHA1 3181718682568a93b2de069dbceae6d7e26966c6
SHA256 f9389822c4ae4fe068bb6282665be6e74c6dea4ff5e383752a6a4c6cbf12761a
SHA512 9a6cd0b29a451af1efbba50ca801e8881276c17e53b821db0960fe8dee8418986b611a1059051c5d71179afe915468c0425874952e013faa791304dfc71fb645

memory/2104-23-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2584-22-0x00000000034B0000-0x0000000003AC3000-memory.dmp

\Windows\Resources\svchost.exe

MD5 728e604c6763e16439312ef2fa8c6a40
SHA1 dfbd4f52e76082478e041ca073d0767f957e1c15
SHA256 f5d5bf21e805a3f5ceb5cf75242b745f239409eb3c9c8fc2b5941ddbca7fe3e7
SHA512 82612568299829cbd9883875e21c68cf04ffd658b3e15f22b0de8a068e3eb5e3b671efaab211843120400fd9120cd45953482dd9f59c4aaff579893ac1b32768

memory/2104-34-0x0000000003310000-0x0000000003923000-memory.dmp

memory/2720-40-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2632-42-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2236-43-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2632-48-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2104-49-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2236-50-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2584-51-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2720-53-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2584-54-0x00000000034B0000-0x0000000003AC3000-memory.dmp

memory/2584-65-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2720-74-0x0000000000400000-0x0000000000A13000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:29

Reported

2024-06-12 04:32

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2132 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2132 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe \??\c:\windows\resources\themes\explorer.exe
PID 2296 wrote to memory of 1792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2296 wrote to memory of 1792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2296 wrote to memory of 1792 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1792 wrote to memory of 2108 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1792 wrote to memory of 2108 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1792 wrote to memory of 2108 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2108 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2108 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2108 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe

"C:\Users\Admin\AppData\Local\Temp\d05b5ace310c9d1401c257a7e8e54c2f9327028c157269a95df1e9848df27a22.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/2132-0-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2132-1-0x0000000077E24000-0x0000000077E26000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 69c47fb7a1c83255958066afc559a359
SHA1 20474c4345a7f7a21e3ad355f3368effee630cfc
SHA256 6828fb3d44a3e0c3107467f98f968084b9ae7a6b0136d85eea44b95330d89324
SHA512 c1ea5901a7a38c303c8c0f9757be45662d0bdb2c8519719a7d3883d1afc2001ba6ea04a9345bde1c894d7aac2a2ed7da331ad5cea611b457a0a1fe2b8bdcea01

memory/2296-10-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 48b7185f7aa4c97794ec38117a6e3601
SHA1 b35a389f6776550fc8076cfc260fcf2f06669a1a
SHA256 e79b83ec6cb30814da7c777d0957f8fa4d66b34e633958b4fd8c3e941bffce62
SHA512 5e1199a79f044794dfa05502ca65c600fa9bcdf43795bcee679aae47bab2f85907d7398287fa89b92eea5e44087866368a539f3a798c8fac48e341a9ddc1f5a9

memory/1792-19-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 77309b8058e7adb99e25ecc6c6c564d7
SHA1 64f966d4f15971e6c87ac037a52a4474c3eaa61f
SHA256 34bda68a55e0c1bc341046fb8afb211ce2725e51bcbf227a50b894cb90d43499
SHA512 ed30d9c4b567c7c01f9bbf76fe7baaa6f1eafd25a3484996e286b2c00a9a2c67c60754c05369e75219a14ae2da4c6ae00b52719228169a86416aebf11359ff77

memory/2108-28-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2132-33-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/1864-34-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/1864-40-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2132-41-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/1792-39-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2296-42-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2108-43-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2108-46-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2296-51-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2296-55-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2108-66-0x0000000000400000-0x0000000000A13000-memory.dmp