Malware Analysis Report

2025-06-15 23:30

Sample ID 241109-x1b8wstjcr
Target 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54
SHA256 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54
Tags
themida discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54

Threat Level: Known bad

The file 06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54 was found to be: Known bad.

Malicious Activity Summary

themida discovery evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:18

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:18

Reported

2024-11-09 19:21

Platform

win7-20241010-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 2412 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 2412 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 2412 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 2116 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2116 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2116 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2116 wrote to memory of 2424 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2424 wrote to memory of 2964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2424 wrote to memory of 2964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2424 wrote to memory of 2964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2424 wrote to memory of 2964 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2964 wrote to memory of 2888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2964 wrote to memory of 2888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2964 wrote to memory of 2888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2964 wrote to memory of 2888 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2116 wrote to memory of 2716 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2116 wrote to memory of 2716 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2116 wrote to memory of 2716 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2116 wrote to memory of 2716 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2964 wrote to memory of 2860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 1272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 1272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 1272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 1272 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2124 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2124 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2124 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2124 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe

"C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:20 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:21 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:22 /f

Network

N/A

Files

memory/2412-0-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2412-1-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 900004ffdccf83cbd9502f81c99d3657
SHA1 db12edeacf7c1a97bf86fe7946a71848374ecf97
SHA256 11ce85487bb65d453c5cc52dd769ffdc5919befa291ee11f581886f8ac07b631
SHA512 35413ff57049eb42d21b3d02c6b74b08db6fdf2595837d98d3c921802a325b236d0dad5ed8a6f0bc23cd1f649d23a27554143efec993c74f6c11a25ebb051378

memory/2116-11-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 ed66397f271dc90bfc7869d8e47e16d7
SHA1 a3ee6a86b27ab94bc22412546951e3c2dafc1e27
SHA256 50a2dbfde26d177653662fe4b53bb472ce0c9e335a82c089a85e87312538bb98
SHA512 71ea5d11f1ab9fbfd1a4ed336b24e811e3ece62a8a0743b70a88530aa94df619d587c5e0941f6c848905650c4bcc00f4a216e56414fdaa494f6c83d81356afaf

memory/2116-22-0x0000000003460000-0x0000000003A73000-memory.dmp

memory/2424-23-0x0000000000400000-0x0000000000A13000-memory.dmp

\Windows\Resources\svchost.exe

MD5 766cf7fde2c3b0403620d293d4c72d00
SHA1 ec973289efba47f37a7b712c6ff1696900df3b26
SHA256 ca9b64ada6edd86580e2418ca82023d6220f23b44a20acc475fbe6c8b5d955f5
SHA512 697c9b3e74ce470503da4e291f51e9efa98a3fac460eb76e5a4921465e609564159514f1e653918530bce0baeb16646f87d8c40d6bb2c25969e59edad72c9388

memory/2424-39-0x0000000003410000-0x0000000003A23000-memory.dmp

memory/2964-41-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2412-42-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2888-43-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2888-48-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2424-50-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2412-52-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2116-53-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2116-54-0x0000000003460000-0x0000000003A73000-memory.dmp

memory/2116-55-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2964-56-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2116-64-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2964-67-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2116-68-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2116-80-0x0000000000400000-0x0000000000A13000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:18

Reported

2024-11-09 19:21

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 468 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 468 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe \??\c:\windows\resources\themes\explorer.exe
PID 4500 wrote to memory of 1052 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4500 wrote to memory of 1052 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4500 wrote to memory of 1052 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1052 wrote to memory of 3652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1052 wrote to memory of 3652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1052 wrote to memory of 3652 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3652 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3652 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3652 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe

"C:\Users\Admin\AppData\Local\Temp\06f1f10c7e0dffeb9ef08ed80ba8da73bfdb0aa1a90acbeca3cc5ac46c576c54.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/468-0-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/468-1-0x0000000077354000-0x0000000077356000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 e0ef7489d12eb469be18bc11fcbcc08d
SHA1 74e1422c596a53ee384c95a3067ac1bd5146c0c9
SHA256 a6e7cbed9f795b3fbdb6eb9139732f24a83cf8d2d3d32b3d8232ca2ab949ec9a
SHA512 64dbe15f456683998d345cda03f6f154b39ff8ed83907cc4244ce5e1f5842da4e94c733a1d71c87c1827d798339f13edc2ab2a0897b717f9e8eaa6c8c4bf3d87

memory/4500-10-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 f5efa412b988ecd676bce4cb16b01f81
SHA1 b497fae6ac1278faa7a0e0ff62f7dc2025ce2bc8
SHA256 93ea6a8b09fecbca6638d02c4ecd7a209fd31e26d3b24263ff79e6db86c192b6
SHA512 fd2c659790dc86ca463470ae357471baecd9cd95fa7beb390c45bd8c5a09bfce99b0ce63f7a9048f98c55fbccb693e608fdca5b7cae11a5047087642a6c760af

memory/1052-19-0x0000000000400000-0x0000000000A13000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 7a7d28c6aae5b9512d2608df802d0e20
SHA1 e056df20e754493d3ca6196125e231dd30c5956b
SHA256 f33869ab0e9ba8868d74742ef752b88f052c86b5b0c68f2124ad277333558d95
SHA512 aba63c5dc8f02a1e006a3c1c42a4fcd1f91e7cd8e1ca3650d02346c93eed4ed26dab645e97a5fd782524742f640674402aa76ecba814a68c373343767fa612a0

memory/3652-28-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2292-33-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/468-42-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/1052-41-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/2292-38-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4500-43-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/3652-45-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4500-53-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4500-57-0x0000000000400000-0x0000000000A13000-memory.dmp

memory/4500-67-0x0000000000400000-0x0000000000A13000-memory.dmp