afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

Analysis

max time kernel
93s
max time network
126s
platform
windows10_x64
resource
win10-en-20211208
submitted
30-01-2022 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe
Size

1.1MB
MD5

488bf62441ff75040d50da4c2bec376b
SHA1

29931ab97f4cb72be955fd51994a895732da871e
SHA256

afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9
SHA512

ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3152 created 3496 3152 WerFault.exe RegHost.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

description	pid	process	target process
PID 3152 created 3496	3152	WerFault.exe	RegHost.exe

Executes dropped EXE 12 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
4036	RegHost.exe
1724	RegHost.exe
3004	RegHost.exe
2020	RegHost.exe
2552	RegHost.exe
3612	RegHost.exe
3756	RegHost.exe
1908	RegHost.exe
2620	RegHost.exe
360	RegHost.exe
1652	RegHost.exe
3496	RegHost.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeafaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe

Themida packer 52 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3840-115-0x00007FF7B4A40000-0x00007FF7B4E28000-memory.dmp	themida
behavioral1/memory/3840-116-0x00007FF7B4A40000-0x00007FF7B4E28000-memory.dmp	themida
behavioral1/memory/3840-117-0x00007FF7B4A40000-0x00007FF7B4E28000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/4036-124-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/4036-125-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/4036-126-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1724-132-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/1724-133-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/1724-134-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/3004-140-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3004-141-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3004-142-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2020-148-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/2020-149-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/2020-150-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2552-156-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/2552-157-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/2552-158-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/3612-164-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3612-165-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3612-166-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/3756-172-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3756-173-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3756-174-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1908-180-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/1908-181-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/1908-182-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/2620-188-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/2620-189-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/2620-190-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/360-196-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/360-197-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/360-198-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1652-204-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/1652-205-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/1652-206-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/3496-212-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3496-213-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida
behavioral1/memory/3496-214-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp	themida

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeafaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 13 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeafaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

bfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exe

pid	process
660	bfsvc.exe
660	bfsvc.exe
4028	bfsvc.exe
4028	bfsvc.exe
716	bfsvc.exe
716	bfsvc.exe
1132	bfsvc.exe
1132	bfsvc.exe
2092	bfsvc.exe
2092	bfsvc.exe
1944	bfsvc.exe
1944	bfsvc.exe
1868	bfsvc.exe
1868	bfsvc.exe
2924	bfsvc.exe
2924	bfsvc.exe
1884	bfsvc.exe
1884	bfsvc.exe
2872	bfsvc.exe
2872	bfsvc.exe
2324	bfsvc.exe
2324	bfsvc.exe
2012	bfsvc.exe
2012	bfsvc.exe

Suspicious use of SetThreadContext 24 IoCs

Processes:

afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 3840 set thread context of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 set thread context of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 4036 set thread context of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 set thread context of 3684	4036	RegHost.exe	explorer.exe
PID 1724 set thread context of 716	1724	RegHost.exe	bfsvc.exe
PID 1724 set thread context of 2452	1724	RegHost.exe	explorer.exe
PID 3004 set thread context of 1132	3004	RegHost.exe	bfsvc.exe
PID 3004 set thread context of 3572	3004	RegHost.exe	explorer.exe
PID 2020 set thread context of 2092	2020	RegHost.exe	bfsvc.exe
PID 2020 set thread context of 3052	2020	RegHost.exe	explorer.exe
PID 2552 set thread context of 1944	2552	RegHost.exe	bfsvc.exe
PID 2552 set thread context of 3368	2552	RegHost.exe	explorer.exe
PID 3612 set thread context of 1868	3612	RegHost.exe	bfsvc.exe
PID 3612 set thread context of 2192	3612	RegHost.exe	explorer.exe
PID 3756 set thread context of 2924	3756	RegHost.exe	bfsvc.exe
PID 3756 set thread context of 4068	3756	RegHost.exe	explorer.exe
PID 1908 set thread context of 1884	1908	RegHost.exe	bfsvc.exe
PID 1908 set thread context of 1192	1908	RegHost.exe	explorer.exe
PID 2620 set thread context of 2872	2620	RegHost.exe	bfsvc.exe
PID 2620 set thread context of 380	2620	RegHost.exe	explorer.exe
PID 360 set thread context of 2324	360	RegHost.exe	bfsvc.exe
PID 360 set thread context of 1380	360	RegHost.exe	explorer.exe
PID 1652 set thread context of 2012	1652	RegHost.exe	bfsvc.exe
PID 1652 set thread context of 3412	1652	RegHost.exe	explorer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3152 3496 WerFault.exe RegHost.exe

pid	pid_target	process	target process
3152	3496	WerFault.exe	RegHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
2452	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3572	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3052	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe
3368	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 3152 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	3152	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 660	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	bfsvc.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 3840 wrote to memory of 1052	3840	afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe	explorer.exe
PID 1052 wrote to memory of 4036	1052	explorer.exe	RegHost.exe
PID 1052 wrote to memory of 4036	1052	explorer.exe	RegHost.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 4028	4036	RegHost.exe	bfsvc.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe
PID 4036 wrote to memory of 3684	4036	RegHost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe
"C:\Users\Admin\AppData\Local\Temp\afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:660

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4028

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1724

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:716

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3004

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1132

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2020

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2092

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2552

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
12⤵
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3612

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1868

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
14⤵
PID:2192

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3756

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2924

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
16⤵
PID:4068

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1908

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
18⤵
PID:1192

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2620

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
20⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2872

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
20⤵
PID:380

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:360

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2324

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
22⤵
PID:1380

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1652

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x6A7B383b4c9eDA1348cc1fD31FDefcC6f20C05f5 -coin etc -worker bigdickzxc -cclock +500 -cvddc +500
24⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe "123qWef0" "Microsoft%20Basic%20Display%20Adapter" "None" "etc"
24⤵
PID:3412

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
PID:3496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3496 -s 428
26⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
488bf62441ff75040d50da4c2bec376b

SHA1
29931ab97f4cb72be955fd51994a895732da871e

SHA256
afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

SHA512
ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Download Submit
memory/360-198-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/360-197-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/360-196-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/380-194-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/660-120-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/660-118-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/716-136-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1052-121-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1052-119-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1132-144-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1192-187-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1380-203-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1652-206-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1652-205-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1652-204-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1724-132-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1724-134-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1724-133-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1868-168-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1884-184-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1908-182-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1908-181-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1908-180-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/1944-160-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2012-208-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2020-150-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2020-149-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2020-148-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2092-152-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2192-171-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2324-200-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2452-139-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2552-158-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2552-157-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2552-156-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2620-188-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2620-190-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2620-189-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/2872-192-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2924-176-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3004-141-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3004-140-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3004-142-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3052-155-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3368-163-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3412-211-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3496-212-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3496-213-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3496-214-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3572-147-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3612-164-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3612-165-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3612-166-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3684-131-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3756-172-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3756-174-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3756-173-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/3840-116-0x00007FF7B4A40000-0x00007FF7B4E28000-memory.dmp

Filesize
3.9MB

Download
memory/3840-117-0x00007FF7B4A40000-0x00007FF7B4E28000-memory.dmp

Filesize
3.9MB

Download
memory/3840-115-0x00007FF7B4A40000-0x00007FF7B4E28000-memory.dmp

Filesize
3.9MB

Download
memory/4028-128-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/4036-124-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/4036-125-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/4036-126-0x00007FF6A84C0000-0x00007FF6A88A8000-memory.dmp

Filesize
3.9MB

Download
memory/4068-179-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download