Malware Analysis Report

2024-10-19 08:31

Sample ID 220701-e2417acacl
Target fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e
SHA256 fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e
Tags
hawkeye_reborn keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e

Threat Level: Known bad

The file fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn keylogger spyware stealer trojan

HawkEye Reborn

Drops startup file

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-01 04:27

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 04:27

Reported

2022-07-01 05:14

Platform

win7-20220414-en

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceEnroller.url C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1680 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe

"C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/1680-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1724-55-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1724-57-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1724-62-0x000000000048B2BE-mapping.dmp

memory/1724-63-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1724-64-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1680-65-0x00000000027A0000-0x000000000282B000-memory.dmp

memory/1724-67-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/1724-68-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/1724-69-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/548-77-0x000000000048B2BE-mapping.dmp

memory/548-78-0x0000000000400000-0x0000000000490000-memory.dmp

memory/548-79-0x0000000000400000-0x0000000000490000-memory.dmp

memory/548-81-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/548-82-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/548-83-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/772-91-0x000000000048B2BE-mapping.dmp

memory/772-95-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/772-96-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/1268-104-0x000000000048B2BE-mapping.dmp

memory/1268-108-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/1268-109-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/816-117-0x000000000048B2BE-mapping.dmp

memory/816-121-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/816-122-0x0000000073B70000-0x000000007411B000-memory.dmp

memory/696-130-0x000000000048B2BE-mapping.dmp

memory/696-134-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/696-135-0x0000000073AF0000-0x000000007409B000-memory.dmp

memory/1236-143-0x000000000048B2BE-mapping.dmp

memory/1236-147-0x0000000073B70000-0x000000007411B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 04:27

Reported

2022-07-01 05:16

Platform

win10v2004-20220414-en

Max time kernel

172s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceEnroller.url C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4004 set thread context of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 5000 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 1112 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 1104 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 4160 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 set thread context of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4004 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe

"C:\Users\Admin\AppData\Local\Temp\fb326edf387dc6592ee912056e9c65d508df5a927e84a1224d5ecdceefd0635e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 52.109.8.21:443 tcp
FR 2.16.119.157:443 tcp
IE 20.50.73.10:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 13.89.178.26:443 tcp
US 13.107.21.200:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
GB 92.123.140.25:80 tcp
FR 2.16.119.157:443 tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/4068-130-0x0000000000000000-mapping.dmp

memory/4068-131-0x0000000000790000-0x0000000000820000-memory.dmp

memory/4004-136-0x0000000003F40000-0x0000000003FCB000-memory.dmp

memory/4068-137-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4068-138-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4068-139-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1296-140-0x0000000000000000-mapping.dmp

memory/1296-141-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 8faf48455ffc017246b08e89f6ba1956
SHA1 2f6c39d9828b3f95dc050f52a38cd7d3f543baf8
SHA256 9a643ce75fdfe840ea158010f28f8520bea2a60220494b44a25039a2a318fc35
SHA512 dafd4f1bf894ef1c61ff65dbcb8d5a151b33d8e39f3e354e6e433c8c7c0e8c2105615bffde8d796e361b77ccbe917a70ca4d03cc8cb6396f0495ff9e5b7010a9

memory/1296-147-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1296-148-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/5000-149-0x0000000000000000-mapping.dmp

memory/5000-155-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/5000-156-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/3436-157-0x0000000000000000-mapping.dmp

memory/3436-158-0x0000000000750000-0x00000000007E0000-memory.dmp

memory/3436-163-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/3436-164-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/3436-165-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4164-166-0x0000000000000000-mapping.dmp

memory/4164-172-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4164-173-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1112-174-0x0000000000000000-mapping.dmp

memory/1112-175-0x0000000000350000-0x00000000003E0000-memory.dmp

memory/1112-180-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1112-181-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1112-182-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1104-183-0x0000000000000000-mapping.dmp

memory/1104-189-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/1104-190-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4160-191-0x0000000000000000-mapping.dmp

memory/4160-197-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4160-198-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4160-199-0x0000000073780000-0x0000000073D31000-memory.dmp

memory/4828-200-0x0000000000000000-mapping.dmp

memory/4828-206-0x0000000073780000-0x0000000073D31000-memory.dmp