revengerat | 5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6

General

Target

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe
Size

1.1MB
MD5

90db2df33725d3ee85ccc9f2c241e3c3
SHA1

7efae20c555d7b92255a90097f876183f9a0ac3b
SHA256

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6
SHA512

8ff581a8b090ee451b5bcad3bf97535abffd92e56c85a48d93a2a356ede94f210c2516161d02a123c4a541fdf4920e77fb51aa2601efe81d4e6771ac1c918c74

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 33 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/848-60-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/848-61-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/848-62-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/848-64-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/848-66-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1768-73-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/864-86-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/2016-98-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1616-110-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1664-122-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1928-134-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1316-148-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/824-160-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1944-172-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1004-184-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1400-196-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1572-208-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1116-221-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/512-233-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1508-246-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1832-258-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1248-270-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1516-282-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/568-295-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1144-310-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1172-325-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1788-337-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1784-349-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/2028-361-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1488-373-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1760-385-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/1736-398-0x0000000000405DBE-mapping.dmp	revengerat
behavioral1/memory/2040-410-0x0000000000405DBE-mapping.dmp	revengerat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\Nvidia.exe"	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

Suspicious use of SetThreadContext 31 IoCs

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

description	pid	process	target process
PID 1752 set thread context of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1928	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1316	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 824	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1944	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1004	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1400	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1572	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1116	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 512	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1508	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1832	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1248	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1516	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 568	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 980	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1144	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1404	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1172	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1788	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1784	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 2028	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1488	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1760	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 1736	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 set thread context of 2040	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

RegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExERegAsm.ExE

description	pid	process
Token: SeDebugPrivilege	1768	RegAsm.ExE
Token: SeDebugPrivilege	864	RegAsm.ExE
Token: SeDebugPrivilege	1616	RegAsm.ExE
Token: SeDebugPrivilege	1928	RegAsm.ExE
Token: SeDebugPrivilege	1316	RegAsm.ExE
Token: SeDebugPrivilege	1944	RegAsm.ExE
Token: SeDebugPrivilege	1004	RegAsm.ExE
Token: SeDebugPrivilege	1400	RegAsm.ExE
Token: SeDebugPrivilege	1832	RegAsm.ExE
Token: SeDebugPrivilege	1248	RegAsm.ExE
Token: SeDebugPrivilege	1516	RegAsm.ExE
Token: SeDebugPrivilege	1144	RegAsm.ExE
Token: SeDebugPrivilege	1172	RegAsm.ExE
Token: SeDebugPrivilege	1784	RegAsm.ExE
Token: SeDebugPrivilege	2028	RegAsm.ExE
Token: SeDebugPrivilege	1488	RegAsm.ExE
Token: SeDebugPrivilege	1760	RegAsm.ExE
Token: SeDebugPrivilege	2040	RegAsm.ExE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

pid process

1752 5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

pid	process
1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe

description	pid	process	target process
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 848	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1768	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 864	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 2016	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1616	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE
PID 1752 wrote to memory of 1664	1752	5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe	RegAsm.ExE

C:\Users\Admin\AppData\Local\Temp\5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe
"C:\Users\Admin\AppData\Local\Temp\5dadcff70276a8aa347136f8df0bd2fbd3342470ba4ef38da696b4426b91b7c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.ExE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/512-239-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/512-233-0x0000000000405DBE-mapping.dmp

Download
memory/568-301-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/568-295-0x0000000000405DBE-mapping.dmp

Download
memory/824-160-0x0000000000405DBE-mapping.dmp

Download
memory/824-166-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/848-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/848-62-0x0000000000405DBE-mapping.dmp

Download
memory/848-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/848-79-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/848-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/848-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/848-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/848-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/864-92-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/864-86-0x0000000000405DBE-mapping.dmp

Download
memory/980-303-0x0000000000405DBE-mapping.dmp

Download
memory/1004-190-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-184-0x0000000000405DBE-mapping.dmp

Download
memory/1116-227-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1116-221-0x0000000000405DBE-mapping.dmp

Download
memory/1144-316-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1144-317-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1144-310-0x0000000000405DBE-mapping.dmp

Download
memory/1172-331-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1172-325-0x0000000000405DBE-mapping.dmp

Download
memory/1248-276-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-270-0x0000000000405DBE-mapping.dmp

Download
memory/1316-148-0x0000000000405DBE-mapping.dmp

Download
memory/1316-154-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-202-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-196-0x0000000000405DBE-mapping.dmp

Download
memory/1400-240-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1404-319-0x0000000000405DBE-mapping.dmp

Download
memory/1488-379-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-373-0x0000000000405DBE-mapping.dmp

Download
memory/1508-246-0x0000000000405DBE-mapping.dmp

Download
memory/1508-252-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-304-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-282-0x0000000000405DBE-mapping.dmp

Download
memory/1516-288-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-214-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-208-0x0000000000405DBE-mapping.dmp

Download
memory/1616-110-0x0000000000405DBE-mapping.dmp

Download
memory/1616-116-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-122-0x0000000000405DBE-mapping.dmp

Download
memory/1664-128-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-404-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-398-0x0000000000405DBE-mapping.dmp

Download
memory/1752-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1760-391-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-385-0x0000000000405DBE-mapping.dmp

Download
memory/1768-80-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-73-0x0000000000405DBE-mapping.dmp

Download
memory/1768-142-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-349-0x0000000000405DBE-mapping.dmp

Download
memory/1784-392-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1784-355-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-337-0x0000000000405DBE-mapping.dmp

Download
memory/1788-343-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-289-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-264-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-258-0x0000000000405DBE-mapping.dmp

Download
memory/1928-141-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-140-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-134-0x0000000000405DBE-mapping.dmp

Download
memory/1944-172-0x0000000000405DBE-mapping.dmp

Download
memory/1944-215-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-178-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-98-0x0000000000405DBE-mapping.dmp

Download
memory/2016-104-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-361-0x0000000000405DBE-mapping.dmp

Download
memory/2028-367-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-410-0x0000000000405DBE-mapping.dmp

Download
memory/2040-416-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads