Malware Analysis Report

2025-04-03 09:07

Sample ID 210408-lvna44jzg6
Target cheat.bin
SHA256 af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c
Tags
agilenet blacknet rbew persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c

Threat Level: Known bad

The file cheat.bin was found to be: Known bad.

Malicious Activity Summary

agilenet blacknet rbew persistence trojan

BlackNET

Contains code to disable Windows Defender

BlackNET Payload

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-05 15:39

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-04-08 11:57

Reported

2021-04-08 11:59

Platform

win7v20201028

Max time kernel

141s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\afb3cc6e308d70ced0a4393b4c6a085d = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\usymyr kilul = "C:\\Users\\Admin\\Documents\\chome_exe\\vlc.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1604 set thread context of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1604 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1088 wrote to memory of 1108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1088 wrote to memory of 1108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1088 wrote to memory of 1108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1088 wrote to memory of 1108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe

"C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul' -Value '"C:\Users\Admin\Documents\chome_exe\vlc.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 7464

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 a0524310.xsph.ru udp
N/A 141.8.192.163:80 a0524310.xsph.ru tcp

Files

memory/1604-59-0x0000000000910000-0x0000000000911000-memory.dmp

memory/1604-61-0x0000000000320000-0x0000000000321000-memory.dmp

\Users\Admin\AppData\Local\Temp\48f61eec-53fc-4051-a0a0-85b6cd68ee5f\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/1604-63-0x0000000075190000-0x0000000075210000-memory.dmp

memory/1604-64-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/1604-65-0x0000000000810000-0x0000000000825000-memory.dmp

memory/1624-66-0x0000000000000000-mapping.dmp

memory/1624-67-0x0000000076341000-0x0000000076343000-memory.dmp

memory/1088-68-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1088-69-0x00000000004123BE-mapping.dmp

memory/1624-71-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1088-72-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1624-74-0x0000000004910000-0x0000000004911000-memory.dmp

memory/1624-75-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1624-77-0x00000000048D2000-0x00000000048D3000-memory.dmp

memory/1624-76-0x00000000048D0000-0x00000000048D1000-memory.dmp

memory/1088-78-0x0000000000790000-0x0000000000791000-memory.dmp

memory/1088-79-0x0000000000791000-0x0000000000792000-memory.dmp

memory/1624-80-0x0000000004850000-0x0000000004851000-memory.dmp

memory/1088-81-0x0000000000792000-0x0000000000793000-memory.dmp

memory/1088-82-0x0000000000797000-0x00000000007A8000-memory.dmp

memory/1624-85-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

memory/1624-90-0x0000000006040000-0x0000000006041000-memory.dmp

memory/1624-91-0x0000000006290000-0x0000000006291000-memory.dmp

memory/1624-98-0x0000000006170000-0x0000000006171000-memory.dmp

memory/1624-99-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/1088-100-0x00000000007A8000-0x00000000007A9000-memory.dmp

memory/1088-102-0x00000000007AA000-0x00000000007AB000-memory.dmp

memory/1088-101-0x00000000007A9000-0x00000000007AA000-memory.dmp

memory/1088-103-0x00000000007BC000-0x00000000007BE000-memory.dmp

memory/1088-106-0x00000000007AB000-0x00000000007AC000-memory.dmp

memory/1088-109-0x00000000007AE000-0x00000000007AF000-memory.dmp

memory/1088-112-0x00000000007B1000-0x00000000007B2000-memory.dmp

memory/1108-114-0x0000000000000000-mapping.dmp

memory/1088-116-0x00000000007B4000-0x00000000007B5000-memory.dmp

memory/1088-115-0x00000000007B3000-0x00000000007B4000-memory.dmp

memory/1088-113-0x00000000007B2000-0x00000000007B3000-memory.dmp

memory/1088-111-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/1088-110-0x00000000007AF000-0x00000000007B0000-memory.dmp

memory/1088-108-0x00000000007AD000-0x00000000007AE000-memory.dmp

memory/1088-107-0x00000000007AC000-0x00000000007AD000-memory.dmp

memory/1088-105-0x00000000007C0000-0x00000000007C2000-memory.dmp

memory/1088-104-0x00000000007BE000-0x00000000007C0000-memory.dmp

memory/1088-118-0x00000000007B5000-0x00000000007B6000-memory.dmp

memory/1108-117-0x00000000003F0000-0x0000000000402000-memory.dmp

memory/1088-120-0x00000000007B7000-0x00000000007B8000-memory.dmp

memory/1088-119-0x00000000007B6000-0x00000000007B7000-memory.dmp

memory/1088-122-0x00000000007BA000-0x00000000007BC000-memory.dmp

memory/1088-121-0x00000000007B8000-0x00000000007BA000-memory.dmp

memory/1088-123-0x00000000007C2000-0x00000000007C4000-memory.dmp

memory/1088-124-0x00000000007C4000-0x00000000007C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-04-08 11:57

Reported

2021-04-08 11:59

Platform

win10v20201028

Max time kernel

30s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe"

Signatures

BlackNET

trojan blacknet

BlackNET Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\afb3cc6e308d70ced0a4393b4c6a085d = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1052 set thread context of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe

"C:\Users\Admin\AppData\Local\Temp\cheat.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul' -Value '"C:\Users\Admin\Documents\chome_exe\vlc.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 a0524310.xsph.ru udp
N/A 141.8.192.163:80 a0524310.xsph.ru tcp
N/A 141.8.192.163:80 a0524310.xsph.ru tcp

Files

memory/1052-114-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1052-116-0x0000000002690000-0x0000000002691000-memory.dmp

\Users\Admin\AppData\Local\Temp\48f61eec-53fc-4051-a0a0-85b6cd68ee5f\AgileDotNetRT.dll

MD5 edd74be9723cdc6a5692954f0e51c9f3
SHA1 e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA256 55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA512 80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

memory/1052-118-0x00000000723B0000-0x0000000072430000-memory.dmp

memory/1052-119-0x0000000005270000-0x0000000005271000-memory.dmp

memory/1052-120-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/1052-121-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/1052-122-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/1052-123-0x0000000004BA0000-0x0000000004BB6000-memory.dmp

memory/1052-124-0x0000000004C50000-0x0000000004C65000-memory.dmp

memory/1052-125-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/3836-126-0x0000000000000000-mapping.dmp

memory/560-127-0x0000000000400000-0x0000000000418000-memory.dmp

memory/560-128-0x00000000004123BE-mapping.dmp

memory/3836-131-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/3836-132-0x00000000077D0000-0x00000000077D1000-memory.dmp

memory/560-135-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

memory/3836-138-0x0000000007600000-0x0000000007601000-memory.dmp

memory/3836-139-0x00000000076A0000-0x00000000076A1000-memory.dmp

memory/3836-141-0x0000000008030000-0x0000000008031000-memory.dmp

memory/560-142-0x0000000005260000-0x0000000005261000-memory.dmp

memory/3836-143-0x00000000080A0000-0x00000000080A1000-memory.dmp

memory/3836-144-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

memory/3836-145-0x00000000083F0000-0x00000000083F1000-memory.dmp

memory/3836-146-0x0000000007190000-0x0000000007191000-memory.dmp

memory/3836-147-0x0000000007192000-0x0000000007193000-memory.dmp

memory/560-148-0x0000000004EE0000-0x0000000004F72000-memory.dmp

memory/560-149-0x0000000004EE0000-0x0000000004F72000-memory.dmp

memory/560-150-0x0000000004F72000-0x0000000004F73000-memory.dmp

memory/560-153-0x0000000004F75000-0x0000000004F77000-memory.dmp

memory/560-155-0x0000000004F79000-0x0000000004F7A000-memory.dmp

memory/560-156-0x0000000004F7A000-0x0000000004F7F000-memory.dmp

memory/560-157-0x0000000004F78000-0x0000000004F79000-memory.dmp

memory/560-154-0x0000000004F77000-0x0000000004F78000-memory.dmp

memory/3836-162-0x0000000009460000-0x0000000009461000-memory.dmp

memory/3836-163-0x0000000009380000-0x0000000009381000-memory.dmp

memory/3836-164-0x00000000093F0000-0x00000000093F1000-memory.dmp

memory/3836-169-0x0000000007193000-0x0000000007194000-memory.dmp