hawkeye_reborn | d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d

Analysis

max time kernel
167s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
Size

2.0MB
MD5

ebab50478bb4e87bb5549ee04ea68bed
SHA1

7cca4512fae384586c61ce4b7d55394a3b008bec
SHA256

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d
SHA512

e16195276098a7798bb20adc55601a63994c7784bb5c52c644ae29ad21fb9222661145387d3e8fc966f253ede66da5aa2820356a2386c54cad364b7182ef9811

Score

10^/10

hawkeye_reborn keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.0.0.0

Credentials

Protocol: smtp
Host:
mail.omanipackaging.com
Port:
587
Username:
[email protected]
Password:
Opcgm@1241234$$@#

Mutex

082a0479-b2e8-4283-96ec-9bc10bdddac4

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Opcgm@1241234$$@# _EmailPort:587 _EmailSSL:false _EmailServer:mail.omanipackaging.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:082a0479-b2e8-4283-96ec-9bc10bdddac4 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:true _Version:10.0.0.0 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye RebornX, Version=10.0.0.0, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

Drops startup file 1 IoCs

Processes:

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mavinject.url	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
21	bot.whatismyipaddress.com
23	bot.whatismyipaddress.com
24	bot.whatismyipaddress.com
25	bot.whatismyipaddress.com
26	bot.whatismyipaddress.com
27	bot.whatismyipaddress.com
28	bot.whatismyipaddress.com
16	bot.whatismyipaddress.com
19	bot.whatismyipaddress.com
22	bot.whatismyipaddress.com
29	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 12 IoCs

Processes:

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

description	pid	process	target process
PID 2536 set thread context of 1956	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 2760	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 208	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 3820	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 1028	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 4204	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 4772	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 4088	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 1948	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 1016	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 1848	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 set thread context of 4468	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

pid	process
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

pid	process
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

pid	process
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe

description	pid	process	target process
PID 2536 wrote to memory of 1956	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1956	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1956	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1956	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1956	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 2760	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 2760	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 2760	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 2760	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 2760	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 208	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 208	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 208	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 208	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 208	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 3820	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 3820	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 3820	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 3820	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 3820	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1028	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1028	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1028	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1028	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1028	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4204	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4204	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4204	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4204	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4204	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4772	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4772	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4772	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4772	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4772	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4088	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4088	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4088	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4088	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4088	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1948	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1948	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1948	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1948	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1948	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1016	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1016	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1016	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1016	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1016	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1848	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1848	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1848	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1848	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 1848	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4468	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4468	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4468	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4468	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe
PID 2536 wrote to memory of 4468	2536	d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe
"C:\Users\Admin\AppData\Local\Temp\d9fde6f90d9dd6a34cb74ef36906db9a6d1d671a277cfb95f84cf1722fad443d.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:1956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:2760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:3820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:4204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:4772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:4088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:1016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:1848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
  2⤵
  PID:4468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

Filesize
680B

MD5
8faf48455ffc017246b08e89f6ba1956

SHA1
2f6c39d9828b3f95dc050f52a38cd7d3f543baf8

SHA256
9a643ce75fdfe840ea158010f28f8520bea2a60220494b44a25039a2a318fc35

SHA512
dafd4f1bf894ef1c61ff65dbcb8d5a151b33d8e39f3e354e6e433c8c7c0e8c2105615bffde8d796e361b77ccbe917a70ca4d03cc8cb6396f0495ff9e5b7010a9

Download Submit
memory/208-156-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/208-155-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/208-149-0x0000000000000000-mapping.dmp

Download
memory/1016-208-0x0000000000000000-mapping.dmp

Download
memory/1016-215-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1016-214-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1028-173-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1028-166-0x0000000000000000-mapping.dmp

Download
memory/1028-172-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-216-0x0000000000000000-mapping.dmp

Download
memory/1848-222-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-223-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1848-224-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1948-205-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1948-199-0x0000000000000000-mapping.dmp

Download
memory/1948-206-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1948-207-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1956-138-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1956-131-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1956-137-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1956-139-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/1956-130-0x0000000000000000-mapping.dmp

Download
memory/2536-136-0x00000000025C0000-0x000000000264B000-memory.dmp

Filesize
556KB

Download
memory/2760-148-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/2760-140-0x0000000000000000-mapping.dmp

Download
memory/2760-147-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/3820-157-0x0000000000000000-mapping.dmp

Download
memory/3820-163-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/3820-165-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/3820-164-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4088-191-0x0000000000000000-mapping.dmp

Download
memory/4088-198-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4088-197-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4204-175-0x0000000000730000-0x00000000007C0000-memory.dmp

Filesize
576KB

Download
memory/4204-182-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4204-181-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4204-180-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4204-174-0x0000000000000000-mapping.dmp

Download
memory/4468-225-0x0000000000000000-mapping.dmp

Download
memory/4468-231-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4772-189-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download
memory/4772-184-0x0000000000590000-0x0000000000620000-memory.dmp

Filesize
576KB

Download
memory/4772-183-0x0000000000000000-mapping.dmp

Download
memory/4772-190-0x0000000074450000-0x0000000074A01000-memory.dmp

Filesize
5.7MB

Download