93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

Analysis

max time kernel
146s
max time network
144s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-01-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0672f13398e67c43c7157c82ebc12bab.exe
Size

1.3MB
MD5

0672f13398e67c43c7157c82ebc12bab
SHA1

7d0f4d5a05767f7ef534d7b05c72d5498918597d
SHA256

93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1
SHA512

3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
1396	RegHost.exe
2024	RegHost.exe
1932	RegHost.exe
588	RegHost.exe
1220	RegHost.exe
1788	RegHost.exe
1488	RegHost.exe
1504	RegHost.exe
1588	RegHost.exe
1104	RegHost.exe
1192	RegHost.exe
1204	RegHost.exe
1588	RegHost.exe
1488	RegHost.exe
1048	RegHost.exe
864	RegHost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/588-58-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/588-59-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/588-60-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 34 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe0672f13398e67c43c7157c82ebc12bab.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0672f13398e67c43c7157c82ebc12bab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0672f13398e67c43c7157c82ebc12bab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe

Loads dropped DLL 21 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeWerFault.exe

pid	process
1100	explorer.exe
1100	explorer.exe
1324	explorer.exe
1196	explorer.exe
1732	explorer.exe
1048	explorer.exe
1076	explorer.exe
1104	explorer.exe
1240	explorer.exe
868	explorer.exe
1492	explorer.exe
1640	explorer.exe
1180	explorer.exe
2012	explorer.exe
1620	explorer.exe
1296	explorer.exe
1076	explorer.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe
2044	WerFault.exe

Themida packer 50 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1600-54-0x000000013FB90000-0x000000013FFCE000-memory.dmp	themida
behavioral1/memory/1600-55-0x000000013FB90000-0x000000013FFCE000-memory.dmp	themida
behavioral1/memory/1600-56-0x000000013FB90000-0x000000013FFCE000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1396-76-0x000000013FB00000-0x000000013FF3E000-memory.dmp	themida
behavioral1/memory/1396-77-0x000000013FB00000-0x000000013FF3E000-memory.dmp	themida
behavioral1/memory/1396-78-0x000000013FB00000-0x000000013FF3E000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2024-95-0x000000013FFB0000-0x00000001403EE000-memory.dmp	themida
behavioral1/memory/2024-96-0x000000013FFB0000-0x00000001403EE000-memory.dmp	themida
behavioral1/memory/2024-97-0x000000013FFB0000-0x00000001403EE000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1932-114-0x000000013F900000-0x000000013FD3E000-memory.dmp	themida
behavioral1/memory/1932-115-0x000000013F900000-0x000000013FD3E000-memory.dmp	themida
behavioral1/memory/1932-116-0x000000013F900000-0x000000013FD3E000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0672f13398e67c43c7157c82ebc12bab.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	0672f13398e67c43c7157c82ebc12bab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 17 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe0672f13398e67c43c7157c82ebc12bab.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0672f13398e67c43c7157c82ebc12bab.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 32 IoCs

Processes:

description	pid	process	target process
PID 1600 set thread context of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 set thread context of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1396 set thread context of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 set thread context of 1324	1396	RegHost.exe	explorer.exe
PID 2024 set thread context of 1252	2024	RegHost.exe	bfsvc.exe
PID 2024 set thread context of 1196	2024	RegHost.exe	explorer.exe
PID 1932 set thread context of 1640	1932	RegHost.exe	bfsvc.exe
PID 1932 set thread context of 1732	1932	RegHost.exe	explorer.exe
PID 588 set thread context of 1188	588	RegHost.exe	bfsvc.exe
PID 588 set thread context of 1048	588	RegHost.exe	explorer.exe
PID 1220 set thread context of 1324	1220	RegHost.exe	bfsvc.exe
PID 1220 set thread context of 1076	1220	RegHost.exe	explorer.exe
PID 1788 set thread context of 904	1788	RegHost.exe	bfsvc.exe
PID 1788 set thread context of 1104	1788	RegHost.exe	explorer.exe
PID 1488 set thread context of 772	1488	RegHost.exe	bfsvc.exe
PID 1488 set thread context of 1240	1488	RegHost.exe	explorer.exe
PID 1504 set thread context of 692	1504	RegHost.exe	bfsvc.exe
PID 1504 set thread context of 868	1504	RegHost.exe	explorer.exe
PID 1588 set thread context of 2004	1588	RegHost.exe	bfsvc.exe
PID 1588 set thread context of 1492	1588	RegHost.exe	explorer.exe
PID 1104 set thread context of 912	1104	RegHost.exe	bfsvc.exe
PID 1104 set thread context of 1640	1104	RegHost.exe	explorer.exe
PID 1192 set thread context of 1496	1192	RegHost.exe	bfsvc.exe
PID 1192 set thread context of 1180	1192	RegHost.exe	explorer.exe
PID 1204 set thread context of 956	1204	RegHost.exe	bfsvc.exe
PID 1204 set thread context of 2012	1204	RegHost.exe	explorer.exe
PID 1588 set thread context of 544	1588	RegHost.exe	bfsvc.exe
PID 1588 set thread context of 1620	1588	RegHost.exe	explorer.exe
PID 1488 set thread context of 1804	1488	RegHost.exe	bfsvc.exe
PID 1488 set thread context of 1296	1488	RegHost.exe	explorer.exe
PID 1048 set thread context of 1508	1048	RegHost.exe	bfsvc.exe
PID 1048 set thread context of 1076	1048	RegHost.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2044 864 WerFault.exe RegHost.exe

pid	pid_target	process	target process
2044	864	WerFault.exe	RegHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1048	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2044 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2044	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0672f13398e67c43c7157c82ebc12bab.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 588	1600	0672f13398e67c43c7157c82ebc12bab.exe	bfsvc.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1600 wrote to memory of 1100	1600	0672f13398e67c43c7157c82ebc12bab.exe	explorer.exe
PID 1100 wrote to memory of 1396	1100	explorer.exe	RegHost.exe
PID 1100 wrote to memory of 1396	1100	explorer.exe	RegHost.exe
PID 1100 wrote to memory of 1396	1100	explorer.exe	RegHost.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 2008	1396	RegHost.exe	bfsvc.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1396 wrote to memory of 1324	1396	RegHost.exe	explorer.exe
PID 1324 wrote to memory of 2024	1324	explorer.exe	RegHost.exe
PID 1324 wrote to memory of 2024	1324	explorer.exe	RegHost.exe
PID 1324 wrote to memory of 2024	1324	explorer.exe	RegHost.exe
PID 2024 wrote to memory of 1252	2024	RegHost.exe	bfsvc.exe
PID 2024 wrote to memory of 1252	2024	RegHost.exe	bfsvc.exe
PID 2024 wrote to memory of 1252	2024	RegHost.exe	bfsvc.exe
PID 2024 wrote to memory of 1252	2024	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe
"C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
2⤵
PID:588

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
4⤵
PID:2008

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
6⤵
PID:1252

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1932

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
8⤵
PID:1640

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:588

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
10⤵
PID:1188

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1220

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
12⤵
PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1788

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
14⤵
PID:904

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
14⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1488

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
16⤵
PID:772

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
16⤵
- Loads dropped DLL
PID:1240

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1504

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
18⤵
PID:692

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
18⤵
- Loads dropped DLL
PID:868

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1588

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
20⤵
PID:2004

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
20⤵
- Loads dropped DLL
PID:1492

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1104

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
22⤵
PID:912

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
22⤵
- Loads dropped DLL
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1192

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
24⤵
PID:1496

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
24⤵
- Loads dropped DLL
PID:1180

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1204

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
26⤵
PID:956

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
26⤵
- Loads dropped DLL
PID:2012

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
27⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1588

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
28⤵
PID:544

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
28⤵
- Loads dropped DLL
PID:1620

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
29⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1488

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
30⤵
PID:1804

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
30⤵
- Loads dropped DLL
PID:1296

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
31⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1048

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
32⤵
PID:1508

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Standard%20VGA%20Graphics%20Adapter" "TONcoin" "ton"
32⤵
- Loads dropped DLL
PID:1076

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
33⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
PID:864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 864 -s 144
34⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
0672f13398e67c43c7157c82ebc12bab

SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a

Download Submit
memory/588-60-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/588-57-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/588-58-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/588-59-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1048-152-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-71-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-70-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/1100-64-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-63-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-62-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-61-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-65-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-68-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-69-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-66-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1100-67-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1396-76-0x000000013FB00000-0x000000013FF3E000-memory.dmp

Filesize
4.2MB

Download
memory/1396-77-0x000000013FB00000-0x000000013FF3E000-memory.dmp

Filesize
4.2MB

Download
memory/1396-78-0x000000013FB00000-0x000000013FF3E000-memory.dmp

Filesize
4.2MB

Download
memory/1600-54-0x000000013FB90000-0x000000013FFCE000-memory.dmp

Filesize
4.2MB

Download
memory/1600-56-0x000000013FB90000-0x000000013FFCE000-memory.dmp

Filesize
4.2MB

Download
memory/1600-55-0x000000013FB90000-0x000000013FFCE000-memory.dmp

Filesize
4.2MB

Download
memory/1932-116-0x000000013F900000-0x000000013FD3E000-memory.dmp

Filesize
4.2MB

Download
memory/1932-114-0x000000013F900000-0x000000013FD3E000-memory.dmp

Filesize
4.2MB

Download
memory/1932-115-0x000000013F900000-0x000000013FD3E000-memory.dmp

Filesize
4.2MB

Download
memory/2024-95-0x000000013FFB0000-0x00000001403EE000-memory.dmp

Filesize
4.2MB

Download
memory/2024-96-0x000000013FFB0000-0x00000001403EE000-memory.dmp

Filesize
4.2MB

Download
memory/2024-97-0x000000013FFB0000-0x00000001403EE000-memory.dmp

Filesize
4.2MB

Download
memory/2044-370-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download