0672f13398e67c43c7157c82ebc12bab.exe

General
Target

0672f13398e67c43c7157c82ebc12bab.exe

Filesize

1MB

Completed

20-01-2022 19:26

Score
10/10
MD5

0672f13398e67c43c7157c82ebc12bab

SHA1

7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256

93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

Malware Config
Signatures 15

Filter: none

Defense Evasion
Discovery
Persistence
  • Modifies Windows Defender Real-time Protection settings

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Downloads MZ/PE file
  • Executes dropped EXE
    RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    Reported IOCs

    pidprocess
    1396RegHost.exe
    2024RegHost.exe
    1932RegHost.exe
    588RegHost.exe
    1220RegHost.exe
    1788RegHost.exe
    1488RegHost.exe
    1504RegHost.exe
    1588RegHost.exe
    1104RegHost.exe
    1192RegHost.exe
    1204RegHost.exe
    1588RegHost.exe
    1488RegHost.exe
    1048RegHost.exe
    864RegHost.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/588-58-0x0000000140000000-0x000000014274C000-memory.dmpupx
    behavioral1/memory/588-59-0x0000000140000000-0x000000014274C000-memory.dmpupx
    behavioral1/memory/588-60-0x0000000140000000-0x000000014274C000-memory.dmpupx
  • Checks BIOS information in registry
    RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe0672f13398e67c43c7157c82ebc12bab.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion0672f13398e67c43c7157c82ebc12bab.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion0672f13398e67c43c7157c82ebc12bab.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionRegHost.exe
  • Loads dropped DLL
    explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeWerFault.exe

    Reported IOCs

    pidprocess
    1100explorer.exe
    1100explorer.exe
    1324explorer.exe
    1196explorer.exe
    1732explorer.exe
    1048explorer.exe
    1076explorer.exe
    1104explorer.exe
    1240explorer.exe
    868explorer.exe
    1492explorer.exe
    1640explorer.exe
    1180explorer.exe
    2012explorer.exe
    1620explorer.exe
    1296explorer.exe
    1076explorer.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1600-54-0x000000013FB90000-0x000000013FFCE000-memory.dmpthemida
    behavioral1/memory/1600-55-0x000000013FB90000-0x000000013FFCE000-memory.dmpthemida
    behavioral1/memory/1600-56-0x000000013FB90000-0x000000013FFCE000-memory.dmpthemida
    behavioral1/files/0x000700000001267c-72.datthemida
    behavioral1/files/0x000700000001267c-73.datthemida
    behavioral1/files/0x000700000001267c-75.datthemida
    behavioral1/files/0x000700000001267c-74.datthemida
    behavioral1/memory/1396-76-0x000000013FB00000-0x000000013FF3E000-memory.dmpthemida
    behavioral1/memory/1396-77-0x000000013FB00000-0x000000013FF3E000-memory.dmpthemida
    behavioral1/memory/1396-78-0x000000013FB00000-0x000000013FF3E000-memory.dmpthemida
    behavioral1/files/0x000700000001267c-94.datthemida
    behavioral1/files/0x000700000001267c-93.datthemida
    behavioral1/memory/2024-95-0x000000013FFB0000-0x00000001403EE000-memory.dmpthemida
    behavioral1/memory/2024-96-0x000000013FFB0000-0x00000001403EE000-memory.dmpthemida
    behavioral1/memory/2024-97-0x000000013FFB0000-0x00000001403EE000-memory.dmpthemida
    behavioral1/files/0x000700000001267c-112.datthemida
    behavioral1/files/0x000700000001267c-113.datthemida
    behavioral1/memory/1932-114-0x000000013F900000-0x000000013FD3E000-memory.dmpthemida
    behavioral1/memory/1932-115-0x000000013F900000-0x000000013FD3E000-memory.dmpthemida
    behavioral1/memory/1932-116-0x000000013F900000-0x000000013FD3E000-memory.dmpthemida
    behavioral1/files/0x000700000001267c-131.datthemida
    behavioral1/files/0x000700000001267c-132.datthemida
    behavioral1/files/0x000700000001267c-150.datthemida
    behavioral1/files/0x000700000001267c-151.datthemida
    behavioral1/files/0x000700000001267c-171.datthemida
    behavioral1/files/0x000700000001267c-170.datthemida
    behavioral1/files/0x000700000001267c-189.datthemida
    behavioral1/files/0x000700000001267c-190.datthemida
    behavioral1/files/0x000700000001267c-208.datthemida
    behavioral1/files/0x000700000001267c-209.datthemida
    behavioral1/files/0x000700000001267c-227.datthemida
    behavioral1/files/0x000700000001267c-228.datthemida
    behavioral1/files/0x000700000001267c-246.datthemida
    behavioral1/files/0x000700000001267c-247.datthemida
    behavioral1/files/0x000700000001267c-265.datthemida
    behavioral1/files/0x000700000001267c-266.datthemida
    behavioral1/files/0x000700000001267c-284.datthemida
    behavioral1/files/0x000700000001267c-285.datthemida
    behavioral1/files/0x000700000001267c-303.datthemida
    behavioral1/files/0x000700000001267c-304.datthemida
    behavioral1/files/0x000700000001267c-323.datthemida
    behavioral1/files/0x000700000001267c-322.datthemida
    behavioral1/files/0x000700000001267c-341.datthemida
    behavioral1/files/0x000700000001267c-342.datthemida
    behavioral1/files/0x000700000001267c-360.datthemida
    behavioral1/files/0x000700000001267c-361.datthemida
    behavioral1/files/0x000700000001267c-366.datthemida
    behavioral1/files/0x000700000001267c-367.datthemida
    behavioral1/files/0x000700000001267c-368.datthemida
    behavioral1/files/0x000700000001267c-369.datthemida
  • Adds Run key to start application
    0672f13398e67c43c7157c82ebc12bab.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"0672f13398e67c43c7157c82ebc12bab.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"RegHost.exe
  • Checks whether UAC is enabled
    RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe0672f13398e67c43c7157c82ebc12bab.exeRegHost.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA0672f13398e67c43c7157c82ebc12bab.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUARegHost.exe
  • Suspicious use of SetThreadContext
    0672f13398e67c43c7157c82ebc12bab.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1600 set thread context of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 set thread context of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1396 set thread context of 20081396RegHost.exebfsvc.exe
    PID 1396 set thread context of 13241396RegHost.exeexplorer.exe
    PID 2024 set thread context of 12522024RegHost.exebfsvc.exe
    PID 2024 set thread context of 11962024RegHost.exeexplorer.exe
    PID 1932 set thread context of 16401932RegHost.exebfsvc.exe
    PID 1932 set thread context of 17321932RegHost.exeexplorer.exe
    PID 588 set thread context of 1188588RegHost.exebfsvc.exe
    PID 588 set thread context of 1048588RegHost.exeexplorer.exe
    PID 1220 set thread context of 13241220RegHost.exebfsvc.exe
    PID 1220 set thread context of 10761220RegHost.exeexplorer.exe
    PID 1788 set thread context of 9041788RegHost.exebfsvc.exe
    PID 1788 set thread context of 11041788RegHost.exeexplorer.exe
    PID 1488 set thread context of 7721488RegHost.exebfsvc.exe
    PID 1488 set thread context of 12401488RegHost.exeexplorer.exe
    PID 1504 set thread context of 6921504RegHost.exebfsvc.exe
    PID 1504 set thread context of 8681504RegHost.exeexplorer.exe
    PID 1588 set thread context of 20041588RegHost.exebfsvc.exe
    PID 1588 set thread context of 14921588RegHost.exeexplorer.exe
    PID 1104 set thread context of 9121104RegHost.exebfsvc.exe
    PID 1104 set thread context of 16401104RegHost.exeexplorer.exe
    PID 1192 set thread context of 14961192RegHost.exebfsvc.exe
    PID 1192 set thread context of 11801192RegHost.exeexplorer.exe
    PID 1204 set thread context of 9561204RegHost.exebfsvc.exe
    PID 1204 set thread context of 20121204RegHost.exeexplorer.exe
    PID 1588 set thread context of 5441588RegHost.exebfsvc.exe
    PID 1588 set thread context of 16201588RegHost.exeexplorer.exe
    PID 1488 set thread context of 18041488RegHost.exebfsvc.exe
    PID 1488 set thread context of 12961488RegHost.exeexplorer.exe
    PID 1048 set thread context of 15081048RegHost.exebfsvc.exe
    PID 1048 set thread context of 10761048RegHost.exeexplorer.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    2044864WerFault.exeRegHost.exe
  • Suspicious behavior: EnumeratesProcesses
    explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

    Reported IOCs

    pidprocess
    1100explorer.exe
    1100explorer.exe
    1100explorer.exe
    1100explorer.exe
    1100explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1324explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1196explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1732explorer.exe
    1048explorer.exe
    1048explorer.exe
    1048explorer.exe
    1048explorer.exe
    1048explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1076explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
    1104explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2044WerFault.exe
  • Suspicious use of WriteProcessMemory
    0672f13398e67c43c7157c82ebc12bab.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 58816000672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1600 wrote to memory of 110016000672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 1100 wrote to memory of 13961100explorer.exeRegHost.exe
    PID 1100 wrote to memory of 13961100explorer.exeRegHost.exe
    PID 1100 wrote to memory of 13961100explorer.exeRegHost.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 20081396RegHost.exebfsvc.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1396 wrote to memory of 13241396RegHost.exeexplorer.exe
    PID 1324 wrote to memory of 20241324explorer.exeRegHost.exe
    PID 1324 wrote to memory of 20241324explorer.exeRegHost.exe
    PID 1324 wrote to memory of 20241324explorer.exeRegHost.exe
    PID 2024 wrote to memory of 12522024RegHost.exebfsvc.exe
    PID 2024 wrote to memory of 12522024RegHost.exebfsvc.exe
    PID 2024 wrote to memory of 12522024RegHost.exebfsvc.exe
    PID 2024 wrote to memory of 12522024RegHost.exebfsvc.exe
Processes 50
  • C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe
    "C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe"
    Checks BIOS information in registry
    Adds Run key to start application
    Checks whether UAC is enabled
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\bfsvc.exe
      C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
      PID:588
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
        Executes dropped EXE
        Checks BIOS information in registry
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\bfsvc.exe
          C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
          PID:2008
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
          Loads dropped DLL
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
            Executes dropped EXE
            Checks BIOS information in registry
            Adds Run key to start application
            Checks whether UAC is enabled
            Suspicious use of SetThreadContext
            Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\bfsvc.exe
              C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
              PID:1252
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
              Loads dropped DLL
              Suspicious behavior: EnumeratesProcesses
              PID:1196
              • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                Executes dropped EXE
                Checks BIOS information in registry
                Adds Run key to start application
                Checks whether UAC is enabled
                Suspicious use of SetThreadContext
                PID:1932
                • C:\Windows\bfsvc.exe
                  C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                  PID:1640
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                  Loads dropped DLL
                  Suspicious behavior: EnumeratesProcesses
                  PID:1732
                  • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                    Executes dropped EXE
                    Checks BIOS information in registry
                    Adds Run key to start application
                    Checks whether UAC is enabled
                    Suspicious use of SetThreadContext
                    PID:588
                    • C:\Windows\bfsvc.exe
                      C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                      PID:1188
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                      Loads dropped DLL
                      Suspicious behavior: EnumeratesProcesses
                      PID:1048
                      • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                        Executes dropped EXE
                        Checks BIOS information in registry
                        Adds Run key to start application
                        Checks whether UAC is enabled
                        Suspicious use of SetThreadContext
                        PID:1220
                        • C:\Windows\bfsvc.exe
                          C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                          PID:1324
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                          Loads dropped DLL
                          Suspicious behavior: EnumeratesProcesses
                          PID:1076
                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                            Executes dropped EXE
                            Checks BIOS information in registry
                            Adds Run key to start application
                            Checks whether UAC is enabled
                            Suspicious use of SetThreadContext
                            PID:1788
                            • C:\Windows\bfsvc.exe
                              C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                              PID:904
                            • C:\Windows\explorer.exe
                              C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                              Loads dropped DLL
                              Suspicious behavior: EnumeratesProcesses
                              PID:1104
                              • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                Executes dropped EXE
                                Checks BIOS information in registry
                                Adds Run key to start application
                                Checks whether UAC is enabled
                                Suspicious use of SetThreadContext
                                PID:1488
                                • C:\Windows\bfsvc.exe
                                  C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                  PID:772
                                • C:\Windows\explorer.exe
                                  C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                  Loads dropped DLL
                                  PID:1240
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                    Executes dropped EXE
                                    Checks BIOS information in registry
                                    Adds Run key to start application
                                    Checks whether UAC is enabled
                                    Suspicious use of SetThreadContext
                                    PID:1504
                                    • C:\Windows\bfsvc.exe
                                      C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                      PID:692
                                    • C:\Windows\explorer.exe
                                      C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                      Loads dropped DLL
                                      PID:868
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                        Executes dropped EXE
                                        Checks BIOS information in registry
                                        Adds Run key to start application
                                        Checks whether UAC is enabled
                                        Suspicious use of SetThreadContext
                                        PID:1588
                                        • C:\Windows\bfsvc.exe
                                          C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                          PID:2004
                                        • C:\Windows\explorer.exe
                                          C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                          Loads dropped DLL
                                          PID:1492
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                            Executes dropped EXE
                                            Checks BIOS information in registry
                                            Adds Run key to start application
                                            Checks whether UAC is enabled
                                            Suspicious use of SetThreadContext
                                            PID:1104
                                            • C:\Windows\bfsvc.exe
                                              C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                              PID:912
                                            • C:\Windows\explorer.exe
                                              C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                              Loads dropped DLL
                                              PID:1640
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                Executes dropped EXE
                                                Checks BIOS information in registry
                                                Adds Run key to start application
                                                Checks whether UAC is enabled
                                                Suspicious use of SetThreadContext
                                                PID:1192
                                                • C:\Windows\bfsvc.exe
                                                  C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                                  PID:1496
                                                • C:\Windows\explorer.exe
                                                  C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                                  Loads dropped DLL
                                                  PID:1180
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                    Executes dropped EXE
                                                    Checks BIOS information in registry
                                                    Adds Run key to start application
                                                    Checks whether UAC is enabled
                                                    Suspicious use of SetThreadContext
                                                    PID:1204
                                                    • C:\Windows\bfsvc.exe
                                                      C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                                      PID:956
                                                    • C:\Windows\explorer.exe
                                                      C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                                      Loads dropped DLL
                                                      PID:2012
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                        Executes dropped EXE
                                                        Checks BIOS information in registry
                                                        Adds Run key to start application
                                                        Checks whether UAC is enabled
                                                        Suspicious use of SetThreadContext
                                                        PID:1588
                                                        • C:\Windows\bfsvc.exe
                                                          C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                                          PID:544
                                                        • C:\Windows\explorer.exe
                                                          C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                                          Loads dropped DLL
                                                          PID:1620
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                            Executes dropped EXE
                                                            Checks BIOS information in registry
                                                            Adds Run key to start application
                                                            Checks whether UAC is enabled
                                                            Suspicious use of SetThreadContext
                                                            PID:1488
                                                            • C:\Windows\bfsvc.exe
                                                              C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                                              PID:1804
                                                            • C:\Windows\explorer.exe
                                                              C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                                              Loads dropped DLL
                                                              PID:1296
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                                Executes dropped EXE
                                                                Checks BIOS information in registry
                                                                Adds Run key to start application
                                                                Checks whether UAC is enabled
                                                                Suspicious use of SetThreadContext
                                                                PID:1048
                                                                • C:\Windows\bfsvc.exe
                                                                  C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
                                                                  PID:1508
                                                                • C:\Windows\explorer.exe
                                                                  C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
                                                                  Loads dropped DLL
                                                                  PID:1076
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                                    Executes dropped EXE
                                                                    Checks BIOS information in registry
                                                                    Adds Run key to start application
                                                                    Checks whether UAC is enabled
                                                                    PID:864
                                                                    • C:\Windows\system32\WerFault.exe
                                                                      C:\Windows\system32\WerFault.exe -u -p 864 -s 144
                                                                      Loads dropped DLL
                                                                      Program crash
                                                                      Suspicious use of AdjustPrivilegeToken
                                                                      PID:2044
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe

                      MD5

                      0672f13398e67c43c7157c82ebc12bab

                      SHA1

                      7d0f4d5a05767f7ef534d7b05c72d5498918597d

                      SHA256

                      93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

                      SHA512

                      3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

                    • memory/588-57-0x0000000140000000-0x000000014274C000-memory.dmp

                    • memory/588-58-0x0000000140000000-0x000000014274C000-memory.dmp

                    • memory/588-59-0x0000000140000000-0x000000014274C000-memory.dmp

                    • memory/588-60-0x0000000140000000-0x000000014274C000-memory.dmp

                    • memory/1048-152-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-63-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-70-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

                    • memory/1100-69-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-68-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-67-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-66-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-65-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-64-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-61-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-62-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1100-71-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/1396-78-0x000000013FB00000-0x000000013FF3E000-memory.dmp

                    • memory/1396-76-0x000000013FB00000-0x000000013FF3E000-memory.dmp

                    • memory/1396-77-0x000000013FB00000-0x000000013FF3E000-memory.dmp

                    • memory/1600-54-0x000000013FB90000-0x000000013FFCE000-memory.dmp

                    • memory/1600-56-0x000000013FB90000-0x000000013FFCE000-memory.dmp

                    • memory/1600-55-0x000000013FB90000-0x000000013FFCE000-memory.dmp

                    • memory/1932-115-0x000000013F900000-0x000000013FD3E000-memory.dmp

                    • memory/1932-114-0x000000013F900000-0x000000013FD3E000-memory.dmp

                    • memory/1932-116-0x000000013F900000-0x000000013FD3E000-memory.dmp

                    • memory/2024-97-0x000000013FFB0000-0x00000001403EE000-memory.dmp

                    • memory/2024-95-0x000000013FFB0000-0x00000001403EE000-memory.dmp

                    • memory/2024-96-0x000000013FFB0000-0x00000001403EE000-memory.dmp

                    • memory/2044-370-0x0000000001F20000-0x0000000001F21000-memory.dmp