webmonitor | d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb

Analysis

max time kernel
138s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Size

627KB
MD5

e3deaa2d0d0e8551a0e5aec0822b1b91
SHA1

fa8769f657dcac98042c2a3af1ced52fe98ef108
SHA256

d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb
SHA512

306b76d251aa7c59c6f09c5640d91e6c3d1df3a44e21d8a4458e5082634047204de0b939fcecf4404c527350e673f30723b40a2daf3dffd3a5f5e27bc55c8985

Score

10^/10

webmonitor backdoor infostealer persistence rat suricata upx

Malware Config

Extracted

Family

webmonitor

javalux111.wm01.to:443

Attributes

config_key
zekeDaEuDbc1YhvIHRdeIzXghxt4q89z
private_key
OvE194dh7
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 43 IoCs

resource	yara_rule
behavioral1/memory/1516-61-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/280-67-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/828-75-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/592-76-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1952-85-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1532-90-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/832-91-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/580-100-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1296-101-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1140-108-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/912-118-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1452-122-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/956-130-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1516-134-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/280-137-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1580-144-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/828-145-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/592-146-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2088-148-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2372-161-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/828-160-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/280-159-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/832-158-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1532-157-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1516-163-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1952-162-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/592-156-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2232-164-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/956-165-0x0000000003060000-0x0000000004060000-memory.dmp	family_webmonitor
behavioral1/memory/580-168-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1296-171-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1140-170-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/912-173-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1452-174-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/956-177-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/956-178-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/1580-180-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2088-181-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2088-182-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2372-183-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2232-184-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2232-185-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2372-186-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1516-61-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/280-67-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/828-75-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/592-76-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1952-85-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1532-90-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/832-91-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/580-100-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1296-101-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1140-108-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/912-118-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1452-122-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/956-130-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1516-134-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/280-137-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1580-144-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/828-145-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/592-146-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2088-148-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2372-161-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/828-160-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/280-159-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/832-158-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1532-157-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1516-163-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1952-162-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/592-156-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2232-164-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/580-168-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1296-171-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1140-170-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/912-173-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1452-174-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/956-177-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/956-178-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/1580-180-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2088-181-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2088-182-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2372-183-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2232-184-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2232-185-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2372-186-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Unexpected DNS network traffic destination 23 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-a079 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-a079.exe"	RegAsm.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1388 set thread context of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1436 set thread context of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1504 set thread context of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1660 set thread context of 1952	1660	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	37
PID 1040 set thread context of 832	1040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	39
PID 2040 set thread context of 1532	2040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	42
PID 1748 set thread context of 580	1748	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	44
PID 996 set thread context of 1296	996	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	47
PID 632 set thread context of 1140	632	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	49
PID 1556 set thread context of 912	1556	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	52
PID 688 set thread context of 1452	688	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	54
PID 1600 set thread context of 956	1600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	56
PID 812 set thread context of 1580	812	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	59
PID 864 set thread context of 2088	864	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	62
PID 2172 set thread context of 2232	2172	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	64
PID 2312 set thread context of 2372	2312	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	66

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	2508	WerFault.exe	68

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1660	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1748	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
996	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
996	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
632	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1556	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
688	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
812	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
864	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
864	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2172	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2312	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	1660	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	1040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	2040	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	1748	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1516	RegAsm.exe
Token: SeShutdownPrivilege	280	RegAsm.exe
Token: SeDebugPrivilege	996	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	632	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	828	RegAsm.exe
Token: SeShutdownPrivilege	592	RegAsm.exe
Token: SeDebugPrivilege	1556	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1952	RegAsm.exe
Token: SeShutdownPrivilege	832	RegAsm.exe
Token: SeDebugPrivilege	688	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1532	RegAsm.exe
Token: SeShutdownPrivilege	580	RegAsm.exe
Token: SeShutdownPrivilege	1140	RegAsm.exe
Token: SeShutdownPrivilege	1296	RegAsm.exe
Token: SeDebugPrivilege	1600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	912	RegAsm.exe
Token: SeDebugPrivilege	812	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1452	RegAsm.exe
Token: SeDebugPrivilege	864	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	2172	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	956	RegAsm.exe
Token: SeDebugPrivilege	2312	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1580	RegAsm.exe
Token: SeShutdownPrivilege	2088	RegAsm.exe
Token: SeShutdownPrivilege	2232	RegAsm.exe
Token: SeShutdownPrivilege	2372	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 920	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	27
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1516	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	28
PID 1280 wrote to memory of 1388	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	29
PID 1280 wrote to memory of 1388	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	29
PID 1280 wrote to memory of 1388	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	29
PID 1280 wrote to memory of 1388	1280	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	29
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 280	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	30
PID 1388 wrote to memory of 1436	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	31
PID 1388 wrote to memory of 1436	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	31
PID 1388 wrote to memory of 1436	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	31
PID 1388 wrote to memory of 1436	1388	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	31
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 892	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	32
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 828	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	33
PID 1436 wrote to memory of 1504	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	34
PID 1436 wrote to memory of 1504	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	34
PID 1436 wrote to memory of 1504	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	34
PID 1436 wrote to memory of 1504	1436	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	34
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 592	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	35
PID 1504 wrote to memory of 1660	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	36
PID 1504 wrote to memory of 1660	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	36
PID 1504 wrote to memory of 1660	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	36
PID 1504 wrote to memory of 1660	1504	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	36
PID 1660 wrote to memory of 1952	1660	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	37
PID 1660 wrote to memory of 1952	1660	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	37

C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
"C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
  "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
      "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:2080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        18⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 7248
        19⤵
        Program crash
        
        PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-113-0x0000000002ED0000-0x0000000003ED0000-memory.dmp

Filesize
16.0MB

Download
memory/280-137-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/280-159-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/280-67-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/580-168-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/580-100-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/580-128-0x0000000002F00000-0x0000000003F00000-memory.dmp

Filesize
16.0MB

Download
memory/592-156-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/592-146-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/592-119-0x0000000002EF0000-0x0000000003EF0000-memory.dmp

Filesize
16.0MB

Download
memory/592-76-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/828-75-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/828-109-0x00000000030F0000-0x00000000040F0000-memory.dmp

Filesize
16.0MB

Download
memory/828-160-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/828-145-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/832-91-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/832-121-0x0000000002ED0000-0x0000000003ED0000-memory.dmp

Filesize
16.0MB

Download
memory/832-158-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/912-118-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/912-142-0x00000000031D0000-0x00000000041D0000-memory.dmp

Filesize
16.0MB

Download
memory/912-173-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/956-165-0x0000000003060000-0x0000000004060000-memory.dmp

Filesize
16.0MB

Download
memory/956-130-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/956-177-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/956-178-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1140-129-0x0000000003070000-0x0000000004070000-memory.dmp

Filesize
16.0MB

Download
memory/1140-170-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1140-108-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1280-57-0x0000000004430000-0x000000000449A000-memory.dmp

Filesize
424KB

Download
memory/1280-55-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1280-59-0x0000000000670000-0x0000000000673000-memory.dmp

Filesize
12KB

Download
memory/1280-54-0x0000000000C20000-0x0000000000CC4000-memory.dmp

Filesize
656KB

Download
memory/1280-56-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1296-101-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1296-171-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1296-133-0x0000000003000000-0x0000000004000000-memory.dmp

Filesize
16.0MB

Download
memory/1452-122-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1452-174-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1452-140-0x0000000003230000-0x0000000004230000-memory.dmp

Filesize
16.0MB

Download
memory/1516-112-0x0000000002F70000-0x0000000003F70000-memory.dmp

Filesize
16.0MB

Download
memory/1516-134-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1516-61-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1516-163-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1532-90-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1532-157-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1532-124-0x0000000003020000-0x0000000004020000-memory.dmp

Filesize
16.0MB

Download
memory/1580-169-0x0000000003020000-0x0000000004020000-memory.dmp

Filesize
16.0MB

Download
memory/1580-144-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1580-180-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1952-162-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1952-120-0x00000000031C0000-0x00000000041C0000-memory.dmp

Filesize
16.0MB

Download
memory/1952-85-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2088-181-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2088-182-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2088-172-0x0000000003050000-0x0000000004050000-memory.dmp

Filesize
16.0MB

Download
memory/2088-148-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2232-164-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2232-175-0x0000000002F90000-0x0000000003F90000-memory.dmp

Filesize
16.0MB

Download
memory/2232-184-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2232-185-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2372-176-0x0000000003000000-0x0000000004000000-memory.dmp

Filesize
16.0MB

Download
memory/2372-161-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2372-183-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2372-186-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download