b724e1d087d12cf6b9ada01bfa555a3047250546f3add75b1e9086c111633b9c

Analysis

max time kernel
23s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magicmida.exe
Size

4.8MB
MD5

cbd33d0e1cace68f044d3f1b44bbba7b
SHA1

8a9c635d76cd59147c294bc8ad890d317f95ebcd
SHA256

b724e1d087d12cf6b9ada01bfa555a3047250546f3add75b1e9086c111633b9c
SHA512

cf614895009d93a8c8769bfb0691c78a7b1a23ce2729d6346fa19487b4bf598bdb6f3ed7da43a571137d8d09080ffdf1cfa171080941e28b34cb2450b296f35b
SSDEEP

98304:YXzhW148Pd+Tf1mpcOldJQ3/Vk0dRWRbbVcNbCyfioB:sFK4s0TfLOdo/pdR6w

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

spoolsv.exesvchost.exespoolsv.exeMagicmida.exeicsys.icn.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Magicmida.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeMagicmida.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Magicmida.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Magicmida.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe

Executes dropped EXE 6 IoCs

Processes:

magicmida.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2984 magicmida.exe
2480 icsys.icn.exe
4044 explorer.exe
4036 spoolsv.exe
4808 svchost.exe
980 spoolsv.exe

pid	process
2984	magicmida.exe
2480	icsys.icn.exe
4044	explorer.exe
4036	spoolsv.exe
4808	svchost.exe
980	spoolsv.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/5108-0-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
\??\c:\windows\resources\themes\explorer.exe	themida
behavioral2/memory/4044-21-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\spoolsv.exe	themida
behavioral2/memory/4036-30-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\svchost.exe	themida
behavioral2/memory/4808-39-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/5108-44-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/980-45-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4036-51-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/980-52-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/5108-56-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2480-55-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4044-58-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4808-64-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exesvchost.exespoolsv.exeMagicmida.exeicsys.icn.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magicmida.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Magicmida.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

5108 Magicmida.exe
2480 icsys.icn.exe
4044 explorer.exe
4036 spoolsv.exe
4808 svchost.exe
980 spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exeMagicmida.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Magicmida.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587546414205711"	chrome.exe

Modifies registry class 44 IoCs

Processes:

magicmida.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	magicmida.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	magicmida.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	magicmida.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	magicmida.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	magicmida.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	magicmida.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	magicmida.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	magicmida.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	magicmida.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Magicmida.exeicsys.icn.exe

pid	process
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
5108	Magicmida.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
2480	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

magicmida.exe explorer.exesvchost.exe

pid process

2984 magicmida.exe
4044 explorer.exe
4808 svchost.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2812 chrome.exe
2812 chrome.exe
2812 chrome.exe
2812 chrome.exe

pid	process
2984	magicmida.exe
4044	explorer.exe
4808	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Magicmida.exeicsys.icn.exeexplorer.exespoolsv.exemagicmida.exe svchost.exespoolsv.exe

pid	process
5108	Magicmida.exe
5108	Magicmida.exe
2480	icsys.icn.exe
2480	icsys.icn.exe
4044	explorer.exe
4044	explorer.exe
4036	spoolsv.exe
4036	spoolsv.exe
2984	magicmida.exe
4808	svchost.exe
4808	svchost.exe
980	spoolsv.exe
980	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Magicmida.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exechrome.exe

description	pid	process	target process
PID 5108 wrote to memory of 2984	5108	Magicmida.exe	magicmida.exe
PID 5108 wrote to memory of 2984	5108	Magicmida.exe	magicmida.exe
PID 5108 wrote to memory of 2984	5108	Magicmida.exe	magicmida.exe
PID 5108 wrote to memory of 2480	5108	Magicmida.exe	icsys.icn.exe
PID 5108 wrote to memory of 2480	5108	Magicmida.exe	icsys.icn.exe
PID 5108 wrote to memory of 2480	5108	Magicmida.exe	icsys.icn.exe
PID 2480 wrote to memory of 4044	2480	icsys.icn.exe	explorer.exe
PID 2480 wrote to memory of 4044	2480	icsys.icn.exe	explorer.exe
PID 2480 wrote to memory of 4044	2480	icsys.icn.exe	explorer.exe
PID 4044 wrote to memory of 4036	4044	explorer.exe	spoolsv.exe
PID 4044 wrote to memory of 4036	4044	explorer.exe	spoolsv.exe
PID 4044 wrote to memory of 4036	4044	explorer.exe	spoolsv.exe
PID 4036 wrote to memory of 4808	4036	spoolsv.exe	svchost.exe
PID 4036 wrote to memory of 4808	4036	spoolsv.exe	svchost.exe
PID 4036 wrote to memory of 4808	4036	spoolsv.exe	svchost.exe
PID 4808 wrote to memory of 980	4808	svchost.exe	spoolsv.exe
PID 4808 wrote to memory of 980	4808	svchost.exe	spoolsv.exe
PID 4808 wrote to memory of 980	4808	svchost.exe	spoolsv.exe
PID 2812 wrote to memory of 3952	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3952	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 1960	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 968	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 968	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe
PID 2812 wrote to memory of 3572	2812	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Magicmida.exe
"C:\Users\Admin\AppData\Local\Temp\Magicmida.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

\??\c:\users\admin\appdata\local\temp\magicmida.exe
c:\users\admin\appdata\local\temp\magicmida.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0x78,0x104,0x7fffcae1cc40,0x7fffcae1cc4c,0x7fffcae1cc58
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1896 /prefetch:2
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2460 /prefetch:8
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4568 /prefetch:1
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4556,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4760,i,15409163946172590038,3667001212119222286,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4444 /prefetch:1
2⤵
PID:676

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
01d88236aecf6977b54e88f4f64aa703

SHA1
29d1ab0edc719b3b6ddb87a5e614f497d9d3bffa

SHA256
b916b400c25ed161d1f12e39793968ade62a882ab8ab456cedfcdbf55a8fac0c

SHA512
21862d791e62091ccef231cbc4d577e5d049deb96b641143fbd18d5cf899fe54b098ad094a342677e284f4721296114742c8ea7b321d08e4539b73ac8841b35d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
03fac7f74d716dda4f6dc4a2683fa8f9

SHA1
81a02f4d459f72174f172fc264e681d30637a5e6

SHA256
dea6a363a2ca96d110c3e38db5d00057eb7da57682c6d85369c3923bd740de48

SHA512
02f560887fd0faa25b006cd477b52983d404411b3c6a2c1350a7ccade4ec5869e797c175646292ba77fb0f5b934ff5cbe0049fd6cb0a5127ef988a4454b569dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
146e22932478df475db7d7a7d1661893

SHA1
862d417c98cbfbadf44ae1a8a6892ea063c3974c

SHA256
043f3e760880f890ecca56f67d1cc1d6effe984cf8b13982ab1a0f4314fa9961

SHA512
c911f4a348cafe91b99c3ca2dc93f64356cdf1c62ae5b64db122bf130c4dfe04749b83948650b122e6b13213c8060c4a9c77a5a9e932de2d91dc9b5378522809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
bc3dd0591522815bd0a72fa38e2611a1

SHA1
4a44dd311efbacfe910762c12383a99a2066ca7a

SHA256
99aea47b60af0d4624ebc94c22f53b2a24dbf85fd8d76679c2acb5d929554d78

SHA512
4d4b21e9eda951f1eee7a29d3b686f8e65f869f23a8a2ee8363d0683b6cf17a50395d6bcecab76a86e9d7ae8a727844ef8e8c783c31595bbbea89162f22ab1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\magicmida.exe
Filesize
2.3MB

MD5
0da6bfd0202e990a086c05d1255b839b

SHA1
d1fa6558b42cbb233439e7cd3a9f216f8e0ae6fb

SHA256
53b60e285e98c837ec40abe19cb02fb647a5286623105cd5deccb5b32a604188

SHA512
0c73d83ab531a47d94c44cc6d148704964fdad0587295327854148c3766246a4a1c56cda0ee33fa36b807db4cefea4534b09cd8a3aed55ce37fc10387bf521aa

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
2.6MB

MD5
bb720aa66d96ee76e6200aa0518b2367

SHA1
fa6a7d1fe19aafe319a32ceb57db44f743e2af78

SHA256
2a2cfbe23d2b7f32c43a5eee79f60915f44d1a0f833e2b2b62bd51301a52f0dc

SHA512
dad6334d9f35ca4c08e268867822ed7d3b79f55b3677841aa94b6a3cbde7afa4b9af3ff30ba5ba3b796816e32fc7bf05e2eb807161b993ce47d8cc7fe221f053

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
2.6MB

MD5
7849311baed82255dd9eea9cc76da4cd

SHA1
4d3cc5f8384e337286aeb6da8033bb6788d3ae04

SHA256
6cbd655becc70b4da5bc6f9ba609147c0d3771da2ba1a00a2d7194b958cee3b4

SHA512
ee10273a825a089ddadf64a7f7433b051188068140f548e9f9d0a5176d798a33a3ea815be91cf6edb98787934332fd0cd89bf8c47f0fe6a638930d1a9972b46e

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
2.6MB

MD5
eaf27e930b20ca02f63ac0d5a9308817

SHA1
48b3070207ab397b982b7728829e83ee6085c22f

SHA256
fb3a46e77b91e6dec78056092d7a796383a8598364baf64314a23465e4711f5c

SHA512
0ce817030f330ec6ad074368ab30c670b7869ef34a31d06e592b1ccd2712cf0d9c36856b86d1a53ab6b70fa7a5198d5d4f1f54ed7484726e9e1fe03431ada54d

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
2.6MB

MD5
55feeb8429fd9fbff3a70bf4175f2833

SHA1
6790b3b74dbb95426e3e55e0674cfec59756182f

SHA256
f73dd1efb4d93b10dd3ac5e1fe825b786b536acece764114a815f6ef225519a5

SHA512
9fefc218f6a620c8a27860e4ad1261142687c1c9bee23defb2b41f0210ed13f4669634e1fb90257e3952936d807604f5d07d2651497d6877c8fb15e8886f1c33

Download Submit
\??\pipe\crashpad_2812_GOEOTFPVWUMNWJHG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/980-45-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/980-52-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2480-55-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2984-57-0x0000000000C10000-0x0000000000E5D000-memory.dmp

Filesize
2.3MB

Download
memory/2984-9-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/4036-51-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4036-30-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4044-21-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4044-58-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4808-64-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4808-39-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/5108-56-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/5108-44-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/5108-1-0x0000000077A84000-0x0000000077A86000-memory.dmp

Filesize
8KB

Download
memory/5108-0-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download