43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

Analysis

max time kernel
154s
max time network
132s
platform
windows10_x64
resource
win10-en-20211208
submitted
27-01-2022 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e80c2ae5587b824d8230e782089e86b.exe
Size

6.3MB
MD5

7e80c2ae5587b824d8230e782089e86b
SHA1

90f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA256

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512

db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 16 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
1524	RegHost.exe
3112	RegHost.exe
968	RegHost.exe
1824	RegHost.exe
3872	RegHost.exe
3992	RegHost.exe
1240	RegHost.exe
3580	RegHost.exe
1296	RegHost.exe
2068	RegHost.exe
3912	RegHost.exe
3800	RegHost.exe
3484	RegHost.exe
3940	RegHost.exe
2104	RegHost.exe
1372	RegHost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/664-118-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 34 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7e80c2ae5587b824d8230e782089e86b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7e80c2ae5587b824d8230e782089e86b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Themida packer 56 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3776-115-0x00007FF7C6B40000-0x00007FF7C7489000-memory.dmp	themida
behavioral2/memory/3776-116-0x00007FF7C6B40000-0x00007FF7C7489000-memory.dmp	themida
behavioral2/memory/3776-117-0x00007FF7C6B40000-0x00007FF7C7489000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1524-123-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1524-124-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1524-125-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3112-130-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3112-131-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3112-132-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/968-137-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/968-138-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/968-139-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1824-144-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1824-145-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1824-146-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3872-151-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3872-152-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3872-153-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3992-158-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3992-159-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3992-160-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1240-165-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1240-166-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1240-167-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3580-172-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3580-173-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3580-174-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1296-179-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1296-180-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/1296-181-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/2068-186-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/2068-187-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/2068-188-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3912-193-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3912-194-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3912-195-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3800-200-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3800-201-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
behavioral2/memory/3800-202-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	7e80c2ae5587b824d8230e782089e86b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 17 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exe7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e80c2ae5587b824d8230e782089e86b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 33 IoCs

Processes:

7e80c2ae5587b824d8230e782089e86b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3776 set thread context of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 set thread context of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 1524 set thread context of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 set thread context of 892	1524	RegHost.exe	explorer.exe
PID 3112 set thread context of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 set thread context of 2036	3112	RegHost.exe	explorer.exe
PID 968 set thread context of 3316	968	RegHost.exe	bfsvc.exe
PID 968 set thread context of 1308	968	RegHost.exe	explorer.exe
PID 1824 set thread context of 2152	1824	RegHost.exe	bfsvc.exe
PID 1824 set thread context of 2232	1824	RegHost.exe	explorer.exe
PID 3872 set thread context of 2336	3872	RegHost.exe	bfsvc.exe
PID 3872 set thread context of 2220	3872	RegHost.exe	explorer.exe
PID 3992 set thread context of 1820	3992	RegHost.exe	bfsvc.exe
PID 3992 set thread context of 3860	3992	RegHost.exe	explorer.exe
PID 1240 set thread context of 1628	1240	RegHost.exe	bfsvc.exe
PID 1240 set thread context of 972	1240	RegHost.exe	explorer.exe
PID 3580 set thread context of 2104	3580	RegHost.exe	bfsvc.exe
PID 3580 set thread context of 2652	3580	RegHost.exe	explorer.exe
PID 1296 set thread context of 1660	1296	RegHost.exe	bfsvc.exe
PID 1296 set thread context of 1832	1296	RegHost.exe	explorer.exe
PID 2068 set thread context of 1564	2068	RegHost.exe	bfsvc.exe
PID 2068 set thread context of 3260	2068	RegHost.exe	explorer.exe
PID 3912 set thread context of 2368	3912	RegHost.exe	bfsvc.exe
PID 3912 set thread context of 3532	3912	RegHost.exe	explorer.exe
PID 3800 set thread context of 3992	3800	RegHost.exe	bfsvc.exe
PID 3800 set thread context of 2640	3800	RegHost.exe	explorer.exe
PID 3484 set thread context of 2240	3484	RegHost.exe	bfsvc.exe
PID 3484 set thread context of 1152	3484	RegHost.exe	explorer.exe
PID 3940 set thread context of 1108	3940	RegHost.exe	bfsvc.exe
PID 3940 set thread context of 2828	3940	RegHost.exe	explorer.exe
PID 2104 set thread context of 3664	2104	RegHost.exe	bfsvc.exe
PID 2104 set thread context of 2656	2104	RegHost.exe	explorer.exe
PID 1372 set thread context of 1308	1372	RegHost.exe	bfsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
892	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe
1308	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7e80c2ae5587b824d8230e782089e86b.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 664	3776	7e80c2ae5587b824d8230e782089e86b.exe	bfsvc.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 3776 wrote to memory of 700	3776	7e80c2ae5587b824d8230e782089e86b.exe	explorer.exe
PID 700 wrote to memory of 1524	700	explorer.exe	RegHost.exe
PID 700 wrote to memory of 1524	700	explorer.exe	RegHost.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 3580	1524	RegHost.exe	bfsvc.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 1524 wrote to memory of 892	1524	RegHost.exe	explorer.exe
PID 892 wrote to memory of 3112	892	explorer.exe	RegHost.exe
PID 892 wrote to memory of 3112	892	explorer.exe	RegHost.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe
PID 3112 wrote to memory of 1936	3112	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\7e80c2ae5587b824d8230e782089e86b.exe
"C:\Users\Admin\AppData\Local\Temp\7e80c2ae5587b824d8230e782089e86b.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
2⤵
PID:664

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
4⤵
PID:3580

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
6⤵
PID:1936

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:968

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
8⤵
PID:3316

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1824

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
10⤵
PID:2152

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
10⤵
PID:2232

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3872

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
12⤵
PID:2336

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
12⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3992

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
14⤵
PID:1820

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
14⤵
PID:3860

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1240

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
16⤵
PID:1628

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
16⤵
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3580

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
18⤵
PID:2104

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
18⤵
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1296

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
20⤵
PID:1660

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
20⤵
PID:1832

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2068

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
22⤵
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
22⤵
PID:3260

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3912

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
24⤵
PID:2368

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
24⤵
PID:3532

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3800

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
26⤵
PID:3992

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
26⤵
PID:2640

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
27⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3484

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
28⤵
PID:2240

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
28⤵
PID:1152

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
29⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3940

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
30⤵
PID:1108

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
30⤵
PID:2828

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
31⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2104

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
32⤵
PID:3664

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
32⤵
PID:2656

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
33⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1372

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
34⤵
PID:1308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
memory/664-118-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/700-121-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/700-119-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/892-128-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/968-138-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/968-139-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/968-137-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/972-170-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1152-212-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1240-167-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1240-165-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1240-166-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1296-179-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1296-181-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1296-180-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1308-142-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1524-125-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1524-124-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1524-123-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1824-146-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1824-145-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1824-144-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/1832-184-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2036-135-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2068-187-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/2068-188-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/2068-186-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/2220-156-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2232-149-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2640-205-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2652-177-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2656-226-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2828-219-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3112-130-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3112-132-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3112-131-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3260-191-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3532-198-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3580-173-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3580-174-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3580-172-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3776-115-0x00007FF7C6B40000-0x00007FF7C7489000-memory.dmp

Filesize
9.3MB

Download
memory/3776-117-0x00007FF7C6B40000-0x00007FF7C7489000-memory.dmp

Filesize
9.3MB

Download
memory/3776-116-0x00007FF7C6B40000-0x00007FF7C7489000-memory.dmp

Filesize
9.3MB

Download
memory/3800-202-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3800-200-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3800-201-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3860-163-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3872-151-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3872-152-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3872-153-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3912-195-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3912-194-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3912-193-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3992-160-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3992-158-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download
memory/3992-159-0x00007FF6D6E80000-0x00007FF6D77C9000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads