e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

Analysis

max time kernel
154s
max time network
160s
platform
windows7_x64
resource
win7-en-20211208
submitted
23-01-2022 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fl.exe
Size

1.3MB
MD5

c607b8bf42f152de754d361bae337bdc
SHA1

642fdb6a3aef4b82056a4fd69af925622188b78a
SHA256

e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a
SHA512

a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
1540	RegHost.exe
1912	RegHost.exe
1716	RegHost.exe
1668	RegHost.exe
996	RegHost.exe
1392	RegHost.exe
856	RegHost.exe
1120	RegHost.exe
1472	RegHost.exe
1964	RegHost.exe
1992	RegHost.exe
1736	RegHost.exe
1480	RegHost.exe
1668	RegHost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/460-58-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/460-59-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/460-60-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Loads dropped DLL 15 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1312	explorer.exe
1312	explorer.exe
2008	explorer.exe
1096	explorer.exe
1324	explorer.exe
1972	explorer.exe
1528	explorer.exe
1096	explorer.exe
1000	explorer.exe
524	explorer.exe
1604	explorer.exe
1616	explorer.exe
1000	explorer.exe
1448	explorer.exe
1644	explorer.exe

Themida packer 42 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1740-54-0x000000013FDA0000-0x00000001401E9000-memory.dmp	themida
behavioral1/memory/1740-55-0x000000013FDA0000-0x00000001401E9000-memory.dmp	themida
behavioral1/memory/1740-56-0x000000013FDA0000-0x00000001401E9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1540-77-0x000000013FA90000-0x000000013FED9000-memory.dmp	themida
behavioral1/memory/1540-76-0x000000013FA90000-0x000000013FED9000-memory.dmp	themida
behavioral1/memory/1540-78-0x000000013FA90000-0x000000013FED9000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1912-95-0x000000013F7B0000-0x000000013FBF9000-memory.dmp	themida
behavioral1/memory/1912-96-0x000000013F7B0000-0x000000013FBF9000-memory.dmp	themida
behavioral1/memory/1912-97-0x000000013F7B0000-0x000000013FBF9000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1716-114-0x000000013F620000-0x000000013FA69000-memory.dmp	themida
behavioral1/memory/1716-115-0x000000013F620000-0x000000013FA69000-memory.dmp	themida
behavioral1/memory/1716-116-0x000000013F620000-0x000000013FA69000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	fl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 15 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exefl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 29 IoCs

Processes:

fl.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 1740 set thread context of 460	1740	fl.exe	bfsvc.exe
PID 1740 set thread context of 1312	1740	fl.exe	explorer.exe
PID 1540 set thread context of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 set thread context of 2008	1540	RegHost.exe	explorer.exe
PID 1912 set thread context of 2024	1912	RegHost.exe	bfsvc.exe
PID 1912 set thread context of 1096	1912	RegHost.exe	explorer.exe
PID 1716 set thread context of 1764	1716	RegHost.exe	bfsvc.exe
PID 1716 set thread context of 1324	1716	RegHost.exe	explorer.exe
PID 1668 set thread context of 916	1668	RegHost.exe	bfsvc.exe
PID 1668 set thread context of 1972	1668	RegHost.exe	explorer.exe
PID 996 set thread context of 1468	996	RegHost.exe	bfsvc.exe
PID 996 set thread context of 1528	996	RegHost.exe	explorer.exe
PID 1392 set thread context of 1756	1392	RegHost.exe	bfsvc.exe
PID 1392 set thread context of 1096	1392	RegHost.exe	explorer.exe
PID 856 set thread context of 1944	856	RegHost.exe	bfsvc.exe
PID 856 set thread context of 1000	856	RegHost.exe	explorer.exe
PID 1120 set thread context of 1632	1120	RegHost.exe	bfsvc.exe
PID 1120 set thread context of 524	1120	RegHost.exe	explorer.exe
PID 1472 set thread context of 1752	1472	RegHost.exe	bfsvc.exe
PID 1472 set thread context of 1604	1472	RegHost.exe	explorer.exe
PID 1964 set thread context of 948	1964	RegHost.exe	bfsvc.exe
PID 1964 set thread context of 1616	1964	RegHost.exe	explorer.exe
PID 1992 set thread context of 1536	1992	RegHost.exe	bfsvc.exe
PID 1992 set thread context of 1000	1992	RegHost.exe	explorer.exe
PID 1736 set thread context of 1256	1736	RegHost.exe	bfsvc.exe
PID 1736 set thread context of 1448	1736	RegHost.exe	explorer.exe
PID 1480 set thread context of 1884	1480	RegHost.exe	bfsvc.exe
PID 1480 set thread context of 1644	1480	RegHost.exe	explorer.exe
PID 1668 set thread context of 864	1668	RegHost.exe	bfsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
2008	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fl.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 460	1740	fl.exe	bfsvc.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1740 wrote to memory of 1312	1740	fl.exe	explorer.exe
PID 1312 wrote to memory of 1540	1312	explorer.exe	RegHost.exe
PID 1312 wrote to memory of 1540	1312	explorer.exe	RegHost.exe
PID 1312 wrote to memory of 1540	1312	explorer.exe	RegHost.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 1800	1540	RegHost.exe	bfsvc.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 1540 wrote to memory of 2008	1540	RegHost.exe	explorer.exe
PID 2008 wrote to memory of 1912	2008	explorer.exe	RegHost.exe
PID 2008 wrote to memory of 1912	2008	explorer.exe	RegHost.exe
PID 2008 wrote to memory of 1912	2008	explorer.exe	RegHost.exe
PID 1912 wrote to memory of 2024	1912	RegHost.exe	bfsvc.exe
PID 1912 wrote to memory of 2024	1912	RegHost.exe	bfsvc.exe
PID 1912 wrote to memory of 2024	1912	RegHost.exe	bfsvc.exe
PID 1912 wrote to memory of 2024	1912	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
2⤵
PID:460

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
4⤵
PID:1800

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
6⤵
PID:2024

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1716

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
8⤵
PID:1764

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1324

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1668

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
10⤵
PID:916

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:996

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
12⤵
PID:1468

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1392

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
14⤵
PID:1756

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
14⤵
- Loads dropped DLL
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:856

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
16⤵
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
16⤵
- Loads dropped DLL
PID:1000

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1120

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
18⤵
PID:1632

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
18⤵
- Loads dropped DLL
PID:524

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1472

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
20⤵
PID:1752

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
20⤵
- Loads dropped DLL
PID:1604

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1964

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
22⤵
PID:948

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
22⤵
- Loads dropped DLL
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1992

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
24⤵
PID:1536

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
24⤵
- Loads dropped DLL
PID:1000

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1736

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
26⤵
PID:1256

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
26⤵
- Loads dropped DLL
PID:1448

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
27⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1480

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
28⤵
PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe "hhurdnl" "Standard%20VGA%20Graphics%20Adapter" "pidr" "ton"
28⤵
- Loads dropped DLL
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
29⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1668

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQBYC6RSCwD4IEtqk167RcoaMht-2683ZvmyBgLOvfzmrsdX
30⤵
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c607b8bf42f152de754d361bae337bdc

SHA1
642fdb6a3aef4b82056a4fd69af925622188b78a

SHA256
e399e3fc1f94f17e12ff0c16f8246523cce8b45c27e6c9b8d484e26dbb94b10a

SHA512
a89bef28c045dbfaf884ceebdbf30ceb9bc1ccc5c8ff4fa4aed78c74c436e65d987c5de40e44161ff3bd476bce9fa7fc6ce63483198ee7c96b310877c566fdd7

Download Submit
memory/460-60-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/460-59-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/460-58-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/460-57-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1312-69-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-65-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-61-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-62-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-63-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-64-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-67-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-66-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-68-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1312-70-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1312-72-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1540-77-0x000000013FA90000-0x000000013FED9000-memory.dmp

Filesize
4.3MB

Download
memory/1540-76-0x000000013FA90000-0x000000013FED9000-memory.dmp

Filesize
4.3MB

Download
memory/1540-78-0x000000013FA90000-0x000000013FED9000-memory.dmp

Filesize
4.3MB

Download
memory/1716-116-0x000000013F620000-0x000000013FA69000-memory.dmp

Filesize
4.3MB

Download
memory/1716-114-0x000000013F620000-0x000000013FA69000-memory.dmp

Filesize
4.3MB

Download
memory/1716-115-0x000000013F620000-0x000000013FA69000-memory.dmp

Filesize
4.3MB

Download
memory/1740-54-0x000000013FDA0000-0x00000001401E9000-memory.dmp

Filesize
4.3MB

Download
memory/1740-56-0x000000013FDA0000-0x00000001401E9000-memory.dmp

Filesize
4.3MB

Download
memory/1740-55-0x000000013FDA0000-0x00000001401E9000-memory.dmp

Filesize
4.3MB

Download
memory/1912-95-0x000000013F7B0000-0x000000013FBF9000-memory.dmp

Filesize
4.3MB

Download
memory/1912-96-0x000000013F7B0000-0x000000013FBF9000-memory.dmp

Filesize
4.3MB

Download
memory/1912-97-0x000000013F7B0000-0x000000013FBF9000-memory.dmp

Filesize
4.3MB

Download