Malware Analysis Report

2024-10-16 06:50

Sample ID 240616-a8acyascne
Target a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce
SHA256 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce

Threat Level: Known bad

The file a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Detects executables packed with Themida

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables packed with Themida

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:52

Signatures

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:52

Reported

2024-06-16 00:55

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 2140 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 2140 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 2140 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 2480 wrote to memory of 2668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2480 wrote to memory of 2668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2480 wrote to memory of 2668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2480 wrote to memory of 2668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2668 wrote to memory of 1436 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2668 wrote to memory of 1436 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2668 wrote to memory of 1436 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2668 wrote to memory of 1436 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1436 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1436 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1436 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1436 wrote to memory of 2468 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2480 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2480 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2480 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2480 wrote to memory of 2816 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1436 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 804 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 804 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 804 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 804 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1436 wrote to memory of 568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe

"C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:54 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:55 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:56 /f

Network

N/A

Files

memory/2140-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2140-1-0x0000000077060000-0x0000000077062000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 7b348f6d6220b8edbbc2f71576210172
SHA1 4706dfc27707722162005d8fc354d7f16172fdf4
SHA256 3d7a2cf634825aa8bf00a8124e42bcb32a8d446680edf994fbe1d4e3ec40af13
SHA512 d7850f5196c6f421645494b3262d4f0db4fecb284db914f0d699999531d0c4a99bba28fbd68136947c46624bed682e22421fce41dd98a1a03e089015e86b5524

memory/2480-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 8bfaeca276fe4fea189ea8f82f119694
SHA1 981fcdb0a4fdde34c78fd6f56b677ea115d50db0
SHA256 737765e68d65fc3c49691677e943a6d45a26e7c71a31b7e1350a29dbd43da810
SHA512 506e3959de66e341bdbdbc8e16c78abea504e2b50f5c9a75a6f8bb0b132dc3991ddc7877070da82c17621420e590fdcea08c9ce56315901a849f6186ae82866b

memory/2480-21-0x0000000003770000-0x0000000003D7E000-memory.dmp

memory/2668-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 018349880479ef41059ab12ab15766be
SHA1 a0384f48eba661a553b2d7626dcc53c462d48b74
SHA256 1709b641628dc5978b413608359a1eeb6f395687bebd32594c3215cf9b8b3e94
SHA512 f59360bf63c4b1bc38e079d04879401c01eaa7edb90805af2df469aa860d7f4d8742fb6cc3575fabeafc154372cad835b993be63924161bd117001483be3c1d1

memory/2668-34-0x0000000003670000-0x0000000003C7E000-memory.dmp

memory/1436-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2140-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2468-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2140-43-0x0000000003720000-0x0000000003D2E000-memory.dmp

memory/2468-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2668-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2140-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2480-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2480-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1436-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2480-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2480-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:52

Reported

2024-06-16 00:55

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 224 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 224 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe \??\c:\windows\resources\themes\explorer.exe
PID 1068 wrote to memory of 1404 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1068 wrote to memory of 1404 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1068 wrote to memory of 1404 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1404 wrote to memory of 4988 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1404 wrote to memory of 4988 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1404 wrote to memory of 4988 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4988 wrote to memory of 2800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4988 wrote to memory of 2800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4988 wrote to memory of 2800 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe

"C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/224-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/224-1-0x0000000077664000-0x0000000077666000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 ed45521544e9ace0c0e3b0219babbb9a
SHA1 50b8f70cb0022ca18c84ac5f338ef89366d33244
SHA256 637d18ea2560ed94a8c7f68d1a7266439b5574684ba870eb91cd2661afc22b62
SHA512 510b7af911b2c389435d69f252353c83be7b5f192a7acdacb6432ced767d4459528bd9a957e04470c71bf107e8f993619b0d7d19bd86ce77df5c348dadb87a42

memory/1068-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 f40383846e8b4663c41a40f60f48d8ff
SHA1 f7bbd92b45e42eca9d2328db01ab22c5c297b369
SHA256 2102d53b6667ac75339b3034a0c049688e8bf05b8204f015eebece6a5cdef57e
SHA512 fb593eb722859f237a3494284cd97a3f215891fb73836d6bbd07454bcee04e6624074577f82e269f3202d67a097e5a7253a41ada0e05b30e33e2591b8d6c11cd

memory/1404-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 692e1b529266ef3fc6b78e921bfe4f4f
SHA1 07b6e2aa638e68b4539f27ec8f58e9b621ebdb6e
SHA256 30faf74331d3f175a535b1534d88a4d5eec2cbdb6280724b62242c920c6480d5
SHA512 14d6e422198a4caa0492f514814b0e29c7954bc4a9771419c406c7a1e07d95ba019cece1e077e569ecb795ae151a398b07147199486248c429d837751fb219d0

memory/4988-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2800-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2800-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1404-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/224-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1068-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1068-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4988-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4988-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4988-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1068-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1068-67-0x0000000000400000-0x0000000000A0E000-memory.dmp