78aa4ee141da64e2c2f154bf7f24fc6ad0c3ce4ec5847373eba02c3c0f85849e

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09000000000000009.exe
Size

741KB
MD5

371f235c3625f124dee36379a46a8dba
SHA1

23e1fcb3503ee740cdc67c8045e9b7c8c1babec8
SHA256

ae1101f81ed495b405d0f80d678da0a6eff8e2f9c432734302ffb764b215de0a
SHA512

a83c28b39989754ec3fd6d76ab55fcbf37a3b4fedb141962f8aa7fae7d1b681d5b95d9db0cd56025549f71d18b7748a9852f324e0c1a1d6fe4dba1bfd2431ebb
SSDEEP

12288:ldCVE4Cn+bipNZmN0BueA63zIK48XqASE4zC1zmBVQEu9LPcfUdEkmrodF:jC9u8ifZmgueAGz4a6zC1UxoTQUa1ror

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
1700	09000000000000009.exe
1700	09000000000000009.exe
2080	09000000000000009.exe
2080	09000000000000009.exe
2620	09000000000000009.exe
2620	09000000000000009.exe
2632	09000000000000009.exe
2632	09000000000000009.exe
2240	09000000000000009.exe
2240	09000000000000009.exe
2840	09000000000000009.exe
2840	09000000000000009.exe
2752	09000000000000009.exe
2752	09000000000000009.exe
1092	09000000000000009.exe
1092	09000000000000009.exe
292	09000000000000009.exe
292	09000000000000009.exe
2592	09000000000000009.exe
2592	09000000000000009.exe
2472	09000000000000009.exe
2472	09000000000000009.exe
708	09000000000000009.exe
708	09000000000000009.exe
1692	09000000000000009.exe
1692	09000000000000009.exe
544	09000000000000009.exe
544	09000000000000009.exe
2292	09000000000000009.exe
2292	09000000000000009.exe
1756	09000000000000009.exe
1756	09000000000000009.exe
2392	09000000000000009.exe
2392	09000000000000009.exe
2600	09000000000000009.exe
2600	09000000000000009.exe
2648	09000000000000009.exe
2648	09000000000000009.exe
2804	09000000000000009.exe
2804	09000000000000009.exe
2548	09000000000000009.exe
2548	09000000000000009.exe
2536	09000000000000009.exe
2536	09000000000000009.exe
340	09000000000000009.exe
340	09000000000000009.exe
2904	09000000000000009.exe
2904	09000000000000009.exe
2172	09000000000000009.exe
2172	09000000000000009.exe
2752	09000000000000009.exe
2752	09000000000000009.exe
1608	09000000000000009.exe
1608	09000000000000009.exe
2308	09000000000000009.exe
2308	09000000000000009.exe
2828	09000000000000009.exe
2828	09000000000000009.exe
2024	09000000000000009.exe
2024	09000000000000009.exe
2248	09000000000000009.exe
2248	09000000000000009.exe
708	09000000000000009.exe
708	09000000000000009.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe"	09000000000000009.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	09000000000000009.exe
1700	09000000000000009.exe
1700	09000000000000009.exe
1700	09000000000000009.exe
2080	09000000000000009.exe
2080	09000000000000009.exe
2080	09000000000000009.exe
2080	09000000000000009.exe
2620	09000000000000009.exe
2620	09000000000000009.exe
2620	09000000000000009.exe
2620	09000000000000009.exe
2632	09000000000000009.exe
2632	09000000000000009.exe
2632	09000000000000009.exe
2632	09000000000000009.exe
2240	09000000000000009.exe
2240	09000000000000009.exe
2240	09000000000000009.exe
2240	09000000000000009.exe
2840	09000000000000009.exe
2840	09000000000000009.exe
2840	09000000000000009.exe
2840	09000000000000009.exe
2752	09000000000000009.exe
2752	09000000000000009.exe
2752	09000000000000009.exe
2752	09000000000000009.exe
1092	09000000000000009.exe
1092	09000000000000009.exe
1092	09000000000000009.exe
1092	09000000000000009.exe
292	09000000000000009.exe
292	09000000000000009.exe
292	09000000000000009.exe
292	09000000000000009.exe
2592	09000000000000009.exe
2592	09000000000000009.exe
2592	09000000000000009.exe
2592	09000000000000009.exe
2472	09000000000000009.exe
2472	09000000000000009.exe
2472	09000000000000009.exe
2472	09000000000000009.exe
708	09000000000000009.exe
708	09000000000000009.exe
708	09000000000000009.exe
708	09000000000000009.exe
1692	09000000000000009.exe
1692	09000000000000009.exe
1692	09000000000000009.exe
1692	09000000000000009.exe
544	09000000000000009.exe
544	09000000000000009.exe
544	09000000000000009.exe
544	09000000000000009.exe
2292	09000000000000009.exe
2292	09000000000000009.exe
2292	09000000000000009.exe
2292	09000000000000009.exe
1756	09000000000000009.exe
1756	09000000000000009.exe
1756	09000000000000009.exe
1756	09000000000000009.exe

Suspicious behavior: MapViewOfSection 51 IoCs

pid	Process
1700	09000000000000009.exe
2080	09000000000000009.exe
2620	09000000000000009.exe
2632	09000000000000009.exe
2240	09000000000000009.exe
2840	09000000000000009.exe
2752	09000000000000009.exe
1092	09000000000000009.exe
292	09000000000000009.exe
2592	09000000000000009.exe
2592	09000000000000009.exe
2472	09000000000000009.exe
708	09000000000000009.exe
708	09000000000000009.exe
1692	09000000000000009.exe
544	09000000000000009.exe
2292	09000000000000009.exe
1756	09000000000000009.exe
1756	09000000000000009.exe
2392	09000000000000009.exe
2600	09000000000000009.exe
2648	09000000000000009.exe
2804	09000000000000009.exe
2548	09000000000000009.exe
2536	09000000000000009.exe
2536	09000000000000009.exe
340	09000000000000009.exe
2904	09000000000000009.exe
2172	09000000000000009.exe
2752	09000000000000009.exe
2752	09000000000000009.exe
1608	09000000000000009.exe
2308	09000000000000009.exe
2828	09000000000000009.exe
2024	09000000000000009.exe
2248	09000000000000009.exe
708	09000000000000009.exe
1012	09000000000000009.exe
2816	09000000000000009.exe
2036	09000000000000009.exe
2036	09000000000000009.exe
1568	09000000000000009.exe
1756	09000000000000009.exe
1700	09000000000000009.exe
1700	09000000000000009.exe
2348	09000000000000009.exe
2648	09000000000000009.exe
1736	09000000000000009.exe
1736	09000000000000009.exe
2720	09000000000000009.exe
3032	09000000000000009.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2200	1700	09000000000000009.exe	28
PID 1700 wrote to memory of 2200	1700	09000000000000009.exe	28
PID 1700 wrote to memory of 2200	1700	09000000000000009.exe	28
PID 1700 wrote to memory of 2200	1700	09000000000000009.exe	28
PID 1700 wrote to memory of 2200	1700	09000000000000009.exe	28
PID 1700 wrote to memory of 2080	1700	09000000000000009.exe	29
PID 1700 wrote to memory of 2080	1700	09000000000000009.exe	29
PID 1700 wrote to memory of 2080	1700	09000000000000009.exe	29
PID 1700 wrote to memory of 2080	1700	09000000000000009.exe	29
PID 2080 wrote to memory of 2944	2080	09000000000000009.exe	30
PID 2080 wrote to memory of 2944	2080	09000000000000009.exe	30
PID 2080 wrote to memory of 2944	2080	09000000000000009.exe	30
PID 2080 wrote to memory of 2944	2080	09000000000000009.exe	30
PID 2080 wrote to memory of 2944	2080	09000000000000009.exe	30
PID 2080 wrote to memory of 2620	2080	09000000000000009.exe	31
PID 2080 wrote to memory of 2620	2080	09000000000000009.exe	31
PID 2080 wrote to memory of 2620	2080	09000000000000009.exe	31
PID 2080 wrote to memory of 2620	2080	09000000000000009.exe	31
PID 2620 wrote to memory of 2516	2620	09000000000000009.exe	32
PID 2620 wrote to memory of 2516	2620	09000000000000009.exe	32
PID 2620 wrote to memory of 2516	2620	09000000000000009.exe	32
PID 2620 wrote to memory of 2516	2620	09000000000000009.exe	32
PID 2620 wrote to memory of 2516	2620	09000000000000009.exe	32
PID 2620 wrote to memory of 2632	2620	09000000000000009.exe	33
PID 2620 wrote to memory of 2632	2620	09000000000000009.exe	33
PID 2620 wrote to memory of 2632	2620	09000000000000009.exe	33
PID 2620 wrote to memory of 2632	2620	09000000000000009.exe	33
PID 2632 wrote to memory of 2544	2632	09000000000000009.exe	34
PID 2632 wrote to memory of 2544	2632	09000000000000009.exe	34
PID 2632 wrote to memory of 2544	2632	09000000000000009.exe	34
PID 2632 wrote to memory of 2544	2632	09000000000000009.exe	34
PID 2632 wrote to memory of 2544	2632	09000000000000009.exe	34
PID 2632 wrote to memory of 2240	2632	09000000000000009.exe	35
PID 2632 wrote to memory of 2240	2632	09000000000000009.exe	35
PID 2632 wrote to memory of 2240	2632	09000000000000009.exe	35
PID 2632 wrote to memory of 2240	2632	09000000000000009.exe	35
PID 2240 wrote to memory of 2836	2240	09000000000000009.exe	36
PID 2240 wrote to memory of 2836	2240	09000000000000009.exe	36
PID 2240 wrote to memory of 2836	2240	09000000000000009.exe	36
PID 2240 wrote to memory of 2836	2240	09000000000000009.exe	36
PID 2240 wrote to memory of 2836	2240	09000000000000009.exe	36
PID 2240 wrote to memory of 2840	2240	09000000000000009.exe	37
PID 2240 wrote to memory of 2840	2240	09000000000000009.exe	37
PID 2240 wrote to memory of 2840	2240	09000000000000009.exe	37
PID 2240 wrote to memory of 2840	2240	09000000000000009.exe	37
PID 2840 wrote to memory of 2468	2840	09000000000000009.exe	38
PID 2840 wrote to memory of 2468	2840	09000000000000009.exe	38
PID 2840 wrote to memory of 2468	2840	09000000000000009.exe	38
PID 2840 wrote to memory of 2468	2840	09000000000000009.exe	38
PID 2840 wrote to memory of 2468	2840	09000000000000009.exe	38
PID 2840 wrote to memory of 2752	2840	09000000000000009.exe	39
PID 2840 wrote to memory of 2752	2840	09000000000000009.exe	39
PID 2840 wrote to memory of 2752	2840	09000000000000009.exe	39
PID 2840 wrote to memory of 2752	2840	09000000000000009.exe	39
PID 2752 wrote to memory of 752	2752	09000000000000009.exe	40
PID 2752 wrote to memory of 752	2752	09000000000000009.exe	40
PID 2752 wrote to memory of 752	2752	09000000000000009.exe	40
PID 2752 wrote to memory of 752	2752	09000000000000009.exe	40
PID 2752 wrote to memory of 752	2752	09000000000000009.exe	40
PID 2752 wrote to memory of 1092	2752	09000000000000009.exe	41
PID 2752 wrote to memory of 1092	2752	09000000000000009.exe	41
PID 2752 wrote to memory of 1092	2752	09000000000000009.exe	41
PID 2752 wrote to memory of 1092	2752	09000000000000009.exe	41
PID 1092 wrote to memory of 2748	1092	09000000000000009.exe	42

C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
"C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
  2⤵
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
  "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
    3⤵
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
    "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
      4⤵
      PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
      "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        5⤵
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        6⤵
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        7⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        8⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        8⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        9⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        9⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        10⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        10⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2592
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        11⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        11⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        12⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        12⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        13⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        13⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        14⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        14⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        15⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        15⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        16⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        16⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        17⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        17⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        18⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        18⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        19⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        19⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        20⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        20⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        21⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        21⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        22⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        22⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        23⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        23⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        24⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        24⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        25⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        25⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        26⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        26⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        27⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        27⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        28⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        28⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        29⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        29⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        30⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        30⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        31⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        31⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        32⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        32⤵
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        33⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        33⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        34⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        34⤵
        Suspicious behavior: MapViewOfSection
        
        PID:2816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        35⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        35⤵
        Suspicious behavior: MapViewOfSection
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        36⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        36⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        37⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        37⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        38⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        38⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        39⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        39⤵
        Suspicious behavior: MapViewOfSection
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        40⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        40⤵
        Suspicious behavior: MapViewOfSection
        
        PID:2648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        41⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        41⤵
        Suspicious behavior: MapViewOfSection
        
        PID:1736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        42⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        42⤵
        Suspicious behavior: MapViewOfSection
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        43⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        43⤵
        Suspicious behavior: MapViewOfSection
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09000000000000009.exe"
        44⤵
        
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7g26jn92p7b.dll

Filesize
14KB

MD5
d4cd2de76cb5e3926b6ebbdb5d421490

SHA1
9ba8904ab672d5761ff95c7db07ca249d000b0d0

SHA256
4feb8ae08b605e9cd75f5a999c59cdb5b5ddc5dd6932b018ba0a4fa5ef6dd1d5

SHA512
7acb5f7d6d204779ed5c232d8e5fc01cd7312f59631a68bd10944b221f3e45b573cefa61e236d977ce623e9d99f3ed3c5b64a8086cc6c30bd648eaabc36126e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\etrmjxozfy.yw

Filesize
680KB

MD5
6d47ab682b6872c7593fb7a908128c7b

SHA1
753577f60646f0e8d344a20db36df463d1389b26

SHA256
273d31c9720840fe60242876c31c6aa6938cf357e6bf770b2967fe89056067e0

SHA512
b71cf36a88170682d5b3e20624ac84d93c75859d2dd5e3352efecb32cfeb72aeefcb944fcb1e686d50cd6fb4b309fa1cd945357c16a6e5d346092bbd1d2043ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\etrmjxozfy.yw

Filesize
505KB

MD5
4128cbf0b241d4726369ba31b3d60c2b

SHA1
40fd837a4529e17e54f8d1a7a7b9179c7a96474f

SHA256
3b2e4faa3d31d890627b169d97f574940930361efa513310dd3fe1ec3ac9641d

SHA512
7a31116908592225f66c17bd0793856798588ecd7a9fcbad7e4e3b7ab283dc2db87d5f7c1043ddff7107e20704937126d17db7c82f7a738dcc4bac558bcb781e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1700-14-0x0000000074AB0000-0x0000000074AB8000-memory.dmp

Filesize
32KB

Download
memory/1700-12-0x0000000074AB0000-0x0000000074AB8000-memory.dmp

Filesize
32KB

Download
memory/1700-452-0x0000000074C50000-0x0000000074C58000-memory.dmp

Filesize
32KB

Download
memory/2080-30-0x0000000074AB0000-0x0000000074AB8000-memory.dmp

Filesize
32KB

Download
memory/2080-29-0x0000000074AB0000-0x0000000074AB8000-memory.dmp

Filesize
32KB

Download
memory/2240-72-0x0000000074AB0000-0x0000000074AB8000-memory.dmp

Filesize
32KB

Download
memory/2816-410-0x0000000074C50000-0x0000000074C58000-memory.dmp

Filesize
32KB

Download
memory/2816-411-0x0000000074C50000-0x0000000074C58000-memory.dmp

Filesize
32KB

Download