650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b

max time kernel133s
max time network132s
platformwindows10_x64
resourcewin10-en-20211208
submitted19-01-2022 15:11

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe

Filesize

578KB

Completed

19-01-2022 15:13

Score

10^/10

MD5

dfbf1c3345fa6eecbc7625e48745bb5d

SHA1

4052413e09323f822f5e4dcbd8a82ca376d6e26f

SHA256

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b

Collection

Credential Access

Defense Evasion

Discovery

Persistence

Modifies Windows Defender Real-time Protection settings

Tags

evasion trojan

TTPs

Modify RegistryModify Existing ServiceDisabling Security Tools
Identifies VirtualBox via ACPI registry values (likely anti-VM)

Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Downloads MZ/PE file

Executes dropped EXE

fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

Reported IOCs

pid	process
4392	fl.exe
1500	RegHost.exe
2772	RegHost.exe
4756	RegHost.exe
1924	RegHost.exe
4128	RegHost.exe
3552	RegHost.exe
1548	RegHost.exe
3504	RegHost.exe
2388	RegHost.exe
3480	RegHost.exe

UPX packed file

Description

Detects executables packed with UPX/modified UPX open source packer.

Tags

upx

Reported IOCs

resource yara_rule

behavioral1/memory/916-145-0x0000000140000000-0x000000014274C000-memory.dmp upx

resource	yara_rule
behavioral1/memory/916-145-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exe

Description

BIOS information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files

Themida packer

Description

Detects Themida, an advanced Windows software protection system.

Reported IOCs

resource	yara_rule
behavioral1/files/0x000500000001ab6d-140.dat	themida
behavioral1/files/0x000500000001ab6d-141.dat	themida
behavioral1/memory/4392-142-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp	themida
behavioral1/memory/4392-143-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp	themida
behavioral1/memory/4392-144-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-148.dat	themida
behavioral1/files/0x000500000001ab71-149.dat	themida
behavioral1/memory/1500-150-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/1500-151-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/1500-152-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-156.dat	themida
behavioral1/memory/2772-157-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/2772-158-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/2772-159-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-163.dat	themida
behavioral1/memory/4756-164-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/4756-165-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/4756-166-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-170.dat	themida
behavioral1/memory/1924-171-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/1924-172-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/1924-173-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-177.dat	themida
behavioral1/memory/4128-178-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/4128-179-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/4128-180-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-184.dat	themida
behavioral1/memory/3552-185-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/3552-186-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/3552-187-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-191.dat	themida
behavioral1/memory/1548-192-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/1548-193-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/1548-194-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-198.dat	themida
behavioral1/memory/3504-199-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/3504-200-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/3504-201-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-205.dat	themida
behavioral1/memory/2388-206-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/2388-207-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/2388-208-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/files/0x000500000001ab71-212.dat	themida
behavioral1/memory/3480-213-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/3480-214-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida
behavioral1/memory/3480-215-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting

Tags

spyware

TTPs

Data from Local SystemCredentials in Files

Adds Run key to start application

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	fl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks installed software on the system

Description

Looks up Uninstall key entries in the registry to enumerate software on the system.

Tags

discovery

TTPs

Query Registry

Checks whether UAC is enabled

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

TTPs

System Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger
650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe

Reported IOCs

pid process

3996 650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe

Suspicious use of SetThreadContext

fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

Reported IOCs

description	pid	process	target process
PID 4392 set thread context of 916	4392	fl.exe	bfsvc.exe
PID 4392 set thread context of 1088	4392	fl.exe	explorer.exe
PID 1500 set thread context of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 set thread context of 2184	1500	RegHost.exe	explorer.exe
PID 2772 set thread context of 3600	2772	RegHost.exe	bfsvc.exe
PID 2772 set thread context of 4508	2772	RegHost.exe	explorer.exe
PID 4756 set thread context of 1964	4756	RegHost.exe	bfsvc.exe
PID 4756 set thread context of 5088	4756	RegHost.exe	explorer.exe
PID 1924 set thread context of 4976	1924	RegHost.exe	bfsvc.exe
PID 1924 set thread context of 2928	1924	RegHost.exe	explorer.exe
PID 4128 set thread context of 392	4128	RegHost.exe	bfsvc.exe
PID 4128 set thread context of 3244	4128	RegHost.exe	explorer.exe
PID 3552 set thread context of 1452	3552	RegHost.exe	bfsvc.exe
PID 3552 set thread context of 2396	3552	RegHost.exe	explorer.exe
PID 1548 set thread context of 1800	1548	RegHost.exe	bfsvc.exe
PID 1548 set thread context of 1680	1548	RegHost.exe	explorer.exe
PID 3504 set thread context of 3764	3504	RegHost.exe	bfsvc.exe
PID 3504 set thread context of 1264	3504	RegHost.exe	explorer.exe
PID 2388 set thread context of 2220	2388	RegHost.exe	bfsvc.exe
PID 2388 set thread context of 3964	2388	RegHost.exe	explorer.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery
Program crash
WerFault.exe

Reported IOCs

pid pid_target process target process

4600 3480 WerFault.exe RegHost.exe

pid	pid_target	process	target process
4600	3480	WerFault.exe	RegHost.exe

Suspicious behavior: EnumeratesProcesses

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

Reported IOCs

pid	process
3996	650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
3996	650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
3996	650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
1088	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
5088	explorer.exe

Suspicious use of AdjustPrivilegeToken

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exeWerFault.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	3996	650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe
Token: SeDebugPrivilege	4600	WerFault.exe

Suspicious use of WriteProcessMemory

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exefl.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

Reported IOCs

description	pid	process	target process
PID 3996 wrote to memory of 4392	3996	650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe	fl.exe
PID 3996 wrote to memory of 4392	3996	650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe	fl.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 916	4392	fl.exe	bfsvc.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 4392 wrote to memory of 1088	4392	fl.exe	explorer.exe
PID 1088 wrote to memory of 1500	1088	explorer.exe	RegHost.exe
PID 1088 wrote to memory of 1500	1088	explorer.exe	RegHost.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 1820	1500	RegHost.exe	bfsvc.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 1500 wrote to memory of 2184	1500	RegHost.exe	explorer.exe
PID 2184 wrote to memory of 2772	2184	explorer.exe	RegHost.exe
PID 2184 wrote to memory of 2772	2184	explorer.exe	RegHost.exe
PID 2772 wrote to memory of 3600	2772	RegHost.exe	bfsvc.exe
PID 2772 wrote to memory of 3600	2772	RegHost.exe	bfsvc.exe
PID 2772 wrote to memory of 3600	2772	RegHost.exe	bfsvc.exe
PID 2772 wrote to memory of 3600	2772	RegHost.exe	bfsvc.exe
PID 2772 wrote to memory of 3600	2772	RegHost.exe	bfsvc.exe
PID 2772 wrote to memory of 3600	2772	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe

"C:\Users\Admin\AppData\Local\Temp\650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b.exe"

Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:3996

C:\Users\Admin\AppData\Local\Temp\fl.exe

"C:\Users\Admin\AppData\Local\Temp\fl.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4392

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:916

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1088

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:1500

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:1820

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:2184

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:2772

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:3600

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

Suspicious behavior: EnumeratesProcesses

PID:4508

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:4756

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:1964

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

Suspicious behavior: EnumeratesProcesses

PID:5088

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:1924

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:4976

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

PID:2928

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:4128

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:392

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

PID:3244

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:3552

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:1452

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

PID:2396

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:1548

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:1800

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

PID:1680

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:3504

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:3764

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

PID:1264

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext

PID:2388

C:\Windows\bfsvc.exe

C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm

PID:2220

C:\Windows\explorer.exe

C:\Windows\explorer.exe "EQAts4pWtXhujvOGkuGJklDeNF5DubyRR7prqLdz--sbJIQm" "Microsoft%20Basic%20Display%20Adapter" "None" "ton"

PID:3964

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"

Executes dropped EXE
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled

PID:3480

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3480 -s 572

Program crash
Suspicious use of AdjustPrivilegeToken

PID:4600

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
600c20e18834769dc0ae528c69108a5d

SHA1
743b942a951d381c0e3efc1fac3e2f09740769c2

SHA256
b8931e787497efcd1306a1b86529f1d930084650fd6c38fd7051bc167b02e6fb

SHA512
36079c25f17ce81de7ebe8b3225421191ba73c1f7a9cf049c7bbc818f8b2b5c157e279dc8e2aeb3d5addb93e233768792ad52a2e75218d55ddfeaf46e30e20ec

Download Submit
memory/916-145-0x0000000140000000-0x000000014274C000-memory.dmp

Download
memory/1088-147-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/1088-146-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/1264-204-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/1500-150-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1500-151-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1500-152-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1548-193-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1548-194-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1548-192-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1680-197-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/1924-173-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1924-172-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/1924-171-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2184-155-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/2388-206-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2388-207-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2388-208-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2396-190-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/2772-158-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2772-157-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2772-159-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/2928-176-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/3244-183-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/3480-215-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3480-213-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3480-214-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3504-199-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3504-200-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3504-201-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3552-187-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3552-186-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3552-185-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/3964-211-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/3996-126-0x0000000005790000-0x0000000005791000-memory.dmp

Download
memory/3996-120-0x0000000001000000-0x0000000001071000-memory.dmp

Download
memory/3996-121-0x0000000001000000-0x0000000001071000-memory.dmp

Download
memory/3996-122-0x0000000072990000-0x0000000072A10000-memory.dmp

Download
memory/3996-139-0x00000000082E0000-0x000000000880C000-memory.dmp

Download
memory/3996-138-0x0000000007370000-0x00000000073C0000-memory.dmp

Download
memory/3996-137-0x00000000064C0000-0x00000000064DE000-memory.dmp

Download
memory/3996-123-0x0000000005DB0000-0x00000000063B6000-memory.dmp

Download
memory/3996-124-0x00000000057A0000-0x00000000057B2000-memory.dmp

Download
memory/3996-125-0x00000000058D0000-0x00000000059DA000-memory.dmp

Download
memory/3996-136-0x0000000006560000-0x00000000065F2000-memory.dmp

Download
memory/3996-135-0x0000000006440000-0x00000000064B6000-memory.dmp

Download
memory/3996-119-0x0000000076130000-0x0000000076221000-memory.dmp

Download
memory/3996-118-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Download
memory/3996-117-0x0000000074D70000-0x0000000074F32000-memory.dmp

Download
memory/3996-134-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Download
memory/3996-133-0x00000000068C0000-0x0000000006DBE000-memory.dmp

Download
memory/3996-132-0x0000000070BE0000-0x0000000070C2B000-memory.dmp

Download
memory/3996-131-0x0000000005870000-0x00000000058BB000-memory.dmp

Download
memory/3996-130-0x00000000768C0000-0x0000000077C08000-memory.dmp

Download
memory/3996-129-0x0000000074F40000-0x00000000754C4000-memory.dmp

Download
memory/3996-128-0x0000000005BB0000-0x0000000005D72000-memory.dmp

Download
memory/3996-127-0x0000000005800000-0x000000000583E000-memory.dmp

Download
memory/3996-115-0x0000000001000000-0x0000000001071000-memory.dmp

Download
memory/4128-180-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/4128-179-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/4128-178-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/4392-142-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp

Download
memory/4392-143-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp

Download
memory/4392-144-0x00007FF7EC340000-0x00007FF7EC77B000-memory.dmp

Download
memory/4508-162-0x0000000140000000-0x000000014002A000-memory.dmp

Download
memory/4756-166-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/4756-165-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/4756-164-0x00007FF6ED000000-0x00007FF6ED43B000-memory.dmp

Download
memory/5088-169-0x0000000140000000-0x000000014002A000-memory.dmp

Download

650f2409b85f546ee7345a8281edddd2b084152df6bb45778c958b31ab14d84b

Filter: none

Tags

TTPs

Tags

TTPs

Reported IOCs

Description

Tags

Reported IOCs

Description

TTPs

Reported IOCs

Description

Tags

TTPs

Description

Tags

Reported IOCs

Tags

TTPs

Tags

TTPs

Reported IOCs

Description

Tags

TTPs

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title