e4023297b3b3918787683d59c9ebf0c5786cdf50f42f54c50aa5571e7dae29f7

Analysis

max time kernel
149s
max time network
13s
platform
windows7_x64
resource
win7v20210408
submitted
07-06-2021 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S09900090K.exe
Size

206KB
MD5

717af05a9247debb55e8a57cb5096df4
SHA1

c0f8e0518f372e52fa5245c1ee3992ac02e15a5f
SHA256

e4023297b3b3918787683d59c9ebf0c5786cdf50f42f54c50aa5571e7dae29f7
SHA512

13a7c5dfe3474f3c4b17a52525203953adb82a82f11e6a688543d00afc6f00eacdced92990802622c885ee88fe01c73d6297d9de6db512f282d35544a243ea15

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
1848	S09900090K.exe
1848	S09900090K.exe
684	S09900090K.exe
684	S09900090K.exe
752	S09900090K.exe
752	S09900090K.exe
1708	S09900090K.exe
1708	S09900090K.exe
1080	S09900090K.exe
1080	S09900090K.exe
1584	S09900090K.exe
1584	S09900090K.exe
1964	S09900090K.exe
1964	S09900090K.exe
1972	S09900090K.exe
1972	S09900090K.exe
1500	S09900090K.exe
1500	S09900090K.exe
2028	S09900090K.exe
2028	S09900090K.exe
1648	S09900090K.exe
1648	S09900090K.exe
440	S09900090K.exe
440	S09900090K.exe
316	S09900090K.exe
316	S09900090K.exe
812	S09900090K.exe
812	S09900090K.exe
912	S09900090K.exe
912	S09900090K.exe
1580	S09900090K.exe
1580	S09900090K.exe
944	S09900090K.exe
944	S09900090K.exe
1260	S09900090K.exe
1260	S09900090K.exe
268	S09900090K.exe
268	S09900090K.exe
108	S09900090K.exe
108	S09900090K.exe
1596	S09900090K.exe
1596	S09900090K.exe
1608	S09900090K.exe
1608	S09900090K.exe
1648	S09900090K.exe
1648	S09900090K.exe
1032	S09900090K.exe
1032	S09900090K.exe
1128	S09900090K.exe
1128	S09900090K.exe
972	S09900090K.exe
972	S09900090K.exe
832	S09900090K.exe
832	S09900090K.exe
1748	S09900090K.exe
1748	S09900090K.exe
1988	S09900090K.exe
1988	S09900090K.exe
1752	S09900090K.exe
1752	S09900090K.exe
1052	S09900090K.exe
1052	S09900090K.exe
1528	S09900090K.exe
1528	S09900090K.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\keeptnls = "C:\\Users\\Admin\\AppData\\Roaming\\nfucibtjl\\lfyinhpbx.exe"	S09900090K.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 50 IoCs

pid	Process
1848	S09900090K.exe
684	S09900090K.exe
684	S09900090K.exe
752	S09900090K.exe
1708	S09900090K.exe
1080	S09900090K.exe
1080	S09900090K.exe
1584	S09900090K.exe
1964	S09900090K.exe
1964	S09900090K.exe
1972	S09900090K.exe
1500	S09900090K.exe
2028	S09900090K.exe
1648	S09900090K.exe
440	S09900090K.exe
316	S09900090K.exe
812	S09900090K.exe
812	S09900090K.exe
912	S09900090K.exe
1580	S09900090K.exe
944	S09900090K.exe
1260	S09900090K.exe
1260	S09900090K.exe
268	S09900090K.exe
108	S09900090K.exe
108	S09900090K.exe
1596	S09900090K.exe
1608	S09900090K.exe
1648	S09900090K.exe
1032	S09900090K.exe
1128	S09900090K.exe
1128	S09900090K.exe
972	S09900090K.exe
832	S09900090K.exe
1748	S09900090K.exe
1988	S09900090K.exe
1752	S09900090K.exe
1052	S09900090K.exe
1528	S09900090K.exe
1844	S09900090K.exe
1844	S09900090K.exe
1428	S09900090K.exe
1428	S09900090K.exe
784	S09900090K.exe
1892	S09900090K.exe
1800	S09900090K.exe
372	S09900090K.exe
1628	S09900090K.exe
1512	S09900090K.exe
1328	S09900090K.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1936	1848	S09900090K.exe	26
PID 1848 wrote to memory of 1936	1848	S09900090K.exe	26
PID 1848 wrote to memory of 1936	1848	S09900090K.exe	26
PID 1848 wrote to memory of 1936	1848	S09900090K.exe	26
PID 1848 wrote to memory of 1936	1848	S09900090K.exe	26
PID 1848 wrote to memory of 684	1848	S09900090K.exe	30
PID 1848 wrote to memory of 684	1848	S09900090K.exe	30
PID 1848 wrote to memory of 684	1848	S09900090K.exe	30
PID 1848 wrote to memory of 684	1848	S09900090K.exe	30
PID 684 wrote to memory of 1568	684	S09900090K.exe	31
PID 684 wrote to memory of 1568	684	S09900090K.exe	31
PID 684 wrote to memory of 1568	684	S09900090K.exe	31
PID 684 wrote to memory of 1568	684	S09900090K.exe	31
PID 684 wrote to memory of 1568	684	S09900090K.exe	31
PID 684 wrote to memory of 752	684	S09900090K.exe	32
PID 684 wrote to memory of 752	684	S09900090K.exe	32
PID 684 wrote to memory of 752	684	S09900090K.exe	32
PID 684 wrote to memory of 752	684	S09900090K.exe	32
PID 752 wrote to memory of 440	752	S09900090K.exe	33
PID 752 wrote to memory of 440	752	S09900090K.exe	33
PID 752 wrote to memory of 440	752	S09900090K.exe	33
PID 752 wrote to memory of 440	752	S09900090K.exe	33
PID 752 wrote to memory of 440	752	S09900090K.exe	33
PID 752 wrote to memory of 1708	752	S09900090K.exe	34
PID 752 wrote to memory of 1708	752	S09900090K.exe	34
PID 752 wrote to memory of 1708	752	S09900090K.exe	34
PID 752 wrote to memory of 1708	752	S09900090K.exe	34
PID 1708 wrote to memory of 316	1708	S09900090K.exe	35
PID 1708 wrote to memory of 316	1708	S09900090K.exe	35
PID 1708 wrote to memory of 316	1708	S09900090K.exe	35
PID 1708 wrote to memory of 316	1708	S09900090K.exe	35
PID 1708 wrote to memory of 316	1708	S09900090K.exe	35
PID 1708 wrote to memory of 1080	1708	S09900090K.exe	36
PID 1708 wrote to memory of 1080	1708	S09900090K.exe	36
PID 1708 wrote to memory of 1080	1708	S09900090K.exe	36
PID 1708 wrote to memory of 1080	1708	S09900090K.exe	36
PID 1080 wrote to memory of 112	1080	S09900090K.exe	37
PID 1080 wrote to memory of 112	1080	S09900090K.exe	37
PID 1080 wrote to memory of 112	1080	S09900090K.exe	37
PID 1080 wrote to memory of 112	1080	S09900090K.exe	37
PID 1080 wrote to memory of 112	1080	S09900090K.exe	37
PID 1080 wrote to memory of 1584	1080	S09900090K.exe	38
PID 1080 wrote to memory of 1584	1080	S09900090K.exe	38
PID 1080 wrote to memory of 1584	1080	S09900090K.exe	38
PID 1080 wrote to memory of 1584	1080	S09900090K.exe	38
PID 1584 wrote to memory of 1792	1584	S09900090K.exe	39
PID 1584 wrote to memory of 1792	1584	S09900090K.exe	39
PID 1584 wrote to memory of 1792	1584	S09900090K.exe	39
PID 1584 wrote to memory of 1792	1584	S09900090K.exe	39
PID 1584 wrote to memory of 1792	1584	S09900090K.exe	39
PID 1584 wrote to memory of 1964	1584	S09900090K.exe	40
PID 1584 wrote to memory of 1964	1584	S09900090K.exe	40
PID 1584 wrote to memory of 1964	1584	S09900090K.exe	40
PID 1584 wrote to memory of 1964	1584	S09900090K.exe	40
PID 1964 wrote to memory of 2040	1964	S09900090K.exe	41
PID 1964 wrote to memory of 2040	1964	S09900090K.exe	41
PID 1964 wrote to memory of 2040	1964	S09900090K.exe	41
PID 1964 wrote to memory of 2040	1964	S09900090K.exe	41
PID 1964 wrote to memory of 2040	1964	S09900090K.exe	41
PID 1964 wrote to memory of 1972	1964	S09900090K.exe	42
PID 1964 wrote to memory of 1972	1964	S09900090K.exe	42
PID 1964 wrote to memory of 1972	1964	S09900090K.exe	42
PID 1964 wrote to memory of 1972	1964	S09900090K.exe	42
PID 1972 wrote to memory of 1652	1972	S09900090K.exe	43

C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
"C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
  "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
    3⤵
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
    "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
      "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        5⤵
        
        PID:316
    - - C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        5⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        6⤵
        
        PID:112
      - C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        6⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        7⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        7⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        8⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        8⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        9⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        9⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        10⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        10⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        11⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        11⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        12⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        12⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        13⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        13⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        14⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        14⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        15⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        15⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        16⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        16⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        17⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        17⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        18⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        18⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        19⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        19⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        20⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        20⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        21⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        21⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        22⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        22⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        23⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        23⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        24⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        24⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        25⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        25⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        26⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        26⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        27⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        27⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        28⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        28⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        29⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        29⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        30⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        30⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        31⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        31⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        32⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        32⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        33⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        33⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        34⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        34⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        35⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        35⤵
        Suspicious behavior: MapViewOfSection
        
        PID:784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        36⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        36⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        37⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        37⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        38⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        38⤵
        Suspicious behavior: MapViewOfSection
        
        PID:372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        39⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        39⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        40⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        40⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        41⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        41⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
        42⤵
        
        PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download