Behavioral Report

Analysis

max time kernel
120s
max time network
145s
platform
windows10_x64
resource
win10-en-20211208
submitted
17-01-2022 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe
Size

1MB
MD5

acabd1f99b9e449d951dea975e1f1ad5
SHA1

ef545ca153737d6246be2cd3de1b26fb92241327
SHA256

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b
SHA512

e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3580 created 3068 3580 WerFault.exe RegHost.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid process

4080 RegHost.exe
3232 RegHost.exe
1844 RegHost.exe
3016 RegHost.exe
4928 RegHost.exe
4248 RegHost.exe
3024 RegHost.exe
2952 RegHost.exe
3068 RegHost.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2812-118-0x0000000140000000-0x000000014274C000-memory.dmp upx

description	pid	process	target process
PID 3580 created 3068	3580	WerFault.exe	RegHost.exe

pid	process
4080	RegHost.exe
3232	RegHost.exe
1844	RegHost.exe
3016	RegHost.exe
4928	RegHost.exe
4248	RegHost.exe
3024	RegHost.exe
2952	RegHost.exe
3068	RegHost.exe

resource	yara_rule
behavioral1/memory/2812-118-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Themida packer 40 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3404-115-0x00007FF6CD530000-0x00007FF6CD8FC000-memory.dmp	themida
behavioral1/memory/3404-116-0x00007FF6CD530000-0x00007FF6CD8FC000-memory.dmp	themida
behavioral1/memory/3404-117-0x00007FF6CD530000-0x00007FF6CD8FC000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-122.dat	themida
behavioral1/files/0x000600000001ab29-124.dat	themida
behavioral1/memory/4080-126-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/4080-127-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/4080-128-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-135.dat	themida
behavioral1/memory/3232-136-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3232-137-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3232-138-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-145.dat	themida
behavioral1/memory/1844-146-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/1844-147-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/1844-148-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-155.dat	themida
behavioral1/memory/3016-156-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3016-157-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3016-158-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-165.dat	themida
behavioral1/memory/4928-166-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/4928-167-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/4928-168-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-175.dat	themida
behavioral1/memory/4248-176-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/4248-177-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/4248-178-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-185.dat	themida
behavioral1/memory/3024-186-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3024-187-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3024-188-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-195.dat	themida
behavioral1/memory/2952-196-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/2952-197-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/2952-198-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/files/0x000600000001ab29-205.dat	themida
behavioral1/memory/3068-206-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3068-207-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida
behavioral1/memory/3068-208-0x00007FF660E40000-0x00007FF66120C000-memory.dmp	themida

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exe63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exe63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3404 set thread context of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 set thread context of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 4080 set thread context of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 set thread context of 4332	4080	RegHost.exe	explorer.exe
PID 3232 set thread context of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 set thread context of 384	3232	RegHost.exe	explorer.exe
PID 1844 set thread context of 2264	1844	RegHost.exe	bfsvc.exe
PID 1844 set thread context of 2464	1844	RegHost.exe	explorer.exe
PID 3016 set thread context of 4404	3016	RegHost.exe	bfsvc.exe
PID 3016 set thread context of 4784	3016	RegHost.exe	explorer.exe
PID 4928 set thread context of 4860	4928	RegHost.exe	bfsvc.exe
PID 4928 set thread context of 4576	4928	RegHost.exe	explorer.exe
PID 4248 set thread context of 5032	4248	RegHost.exe	bfsvc.exe
PID 4248 set thread context of 628	4248	RegHost.exe	explorer.exe
PID 3024 set thread context of 4972	3024	RegHost.exe	bfsvc.exe
PID 3024 set thread context of 1628	3024	RegHost.exe	explorer.exe
PID 2952 set thread context of 1956	2952	RegHost.exe	bfsvc.exe
PID 2952 set thread context of 4424	2952	RegHost.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3580 3068 WerFault.exe RegHost.exe

pid	pid_target	process	target process
3580	3068	WerFault.exe	RegHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
780	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 3580 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	3580	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 2812	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	bfsvc.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 3404 wrote to memory of 780	3404	63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe	explorer.exe
PID 780 wrote to memory of 4080	780	explorer.exe	RegHost.exe
PID 780 wrote to memory of 4080	780	explorer.exe	RegHost.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4192	4080	RegHost.exe	bfsvc.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4080 wrote to memory of 4332	4080	RegHost.exe	explorer.exe
PID 4332 wrote to memory of 3232	4332	explorer.exe	RegHost.exe
PID 4332 wrote to memory of 3232	4332	explorer.exe	RegHost.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe
PID 3232 wrote to memory of 4244	3232	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe
"C:\Users\Admin\AppData\Local\Temp\63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b.exe"
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:2812

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:4192

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:4244

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1844

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:2264

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3016

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:4404

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
PID:4784

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4928

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:4860

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
PID:4576

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4248

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:5032

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
PID:628

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3024

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:4972

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
PID:1628

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2952

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBUrKc4jK39eXKGOmJfeEZjVLiZ9aSuxI-G7GPl6_9e9Bwj
PID:1956

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"
PID:4424

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
PID:3068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3068 -s 424
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
acabd1f99b9e449d951dea975e1f1ad5

SHA1
ef545ca153737d6246be2cd3de1b26fb92241327

SHA256
63e38dc331cd8b202d9109dd5b0e08162673c0661344a06252811d066548c31b

SHA512
e92d6a0f11d2d96267682eed231e8f5580e32df705bc6c0eeb0b6f7fbbe7c56c67267c8e1994c55bb724343e904137808e1fc9636750d2730aa42b3bf217abd1

Download Submit
memory/384-143-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/384-142-0x0000000140001E00-mapping.dmp

Download
memory/628-182-0x0000000140001E00-mapping.dmp

Download
memory/628-183-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/780-120-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/780-121-0x0000000140001E00-mapping.dmp

Download
memory/780-125-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1628-192-0x0000000140001E00-mapping.dmp

Download
memory/1628-193-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1844-148-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/1844-144-0x0000000000000000-mapping.dmp

Download
memory/1844-146-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/1844-147-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/1956-200-0x00000001427491D0-mapping.dmp

Download
memory/2264-150-0x00000001427491D0-mapping.dmp

Download
memory/2464-153-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2464-152-0x0000000140001E00-mapping.dmp

Download
memory/2812-118-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39MB

Download
memory/2812-119-0x00000001427491D0-mapping.dmp

Download
memory/2952-196-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/2952-198-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/2952-197-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/2952-194-0x0000000000000000-mapping.dmp

Download
memory/3016-154-0x0000000000000000-mapping.dmp

Download
memory/3016-156-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3016-157-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3016-158-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3024-188-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3024-187-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3024-186-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3024-184-0x0000000000000000-mapping.dmp

Download
memory/3068-204-0x0000000000000000-mapping.dmp

Download
memory/3068-206-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3068-207-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3068-208-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3232-136-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3232-134-0x0000000000000000-mapping.dmp

Download
memory/3232-137-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3232-138-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/3404-115-0x00007FF6CD530000-0x00007FF6CD8FC000-memory.dmp

Filesize
3MB

Download
memory/3404-116-0x00007FF6CD530000-0x00007FF6CD8FC000-memory.dmp

Filesize
3MB

Download
memory/3404-117-0x00007FF6CD530000-0x00007FF6CD8FC000-memory.dmp

Filesize
3MB

Download
memory/4080-123-0x0000000000000000-mapping.dmp

Download
memory/4080-126-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4080-127-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4080-128-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4192-130-0x00000001427491D0-mapping.dmp

Download
memory/4244-140-0x00000001427491D0-mapping.dmp

Download
memory/4248-178-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4248-177-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4248-174-0x0000000000000000-mapping.dmp

Download
memory/4248-176-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4332-132-0x0000000140001E00-mapping.dmp

Download
memory/4332-133-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4404-160-0x00000001427491D0-mapping.dmp

Download
memory/4424-202-0x0000000140001E00-mapping.dmp

Download
memory/4424-203-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4576-172-0x0000000140001E00-mapping.dmp

Download
memory/4576-173-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4784-162-0x0000000140001E00-mapping.dmp

Download
memory/4784-163-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4860-170-0x00000001427491D0-mapping.dmp

Download
memory/4928-167-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4928-166-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4928-168-0x00007FF660E40000-0x00007FF66120C000-memory.dmp

Filesize
3MB

Download
memory/4928-164-0x0000000000000000-mapping.dmp

Download
memory/4972-190-0x00000001427491D0-mapping.dmp

Download
memory/5032-180-0x00000001427491D0-mapping.dmp

Download