47d6ee7ee359441ff76499d1827b6dbbe2746997a9194eaa3931b10328d59584

Analysis

max time kernel
148s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09000000000000000.jar
Size

905KB
MD5

5842335503404a570eb9263542504d63
SHA1

505cce556054c1a2c6a59a6f3203c6d0cda8b7fc
SHA256

6cadc1a284604c4ec3ba8655e5b933bc7df036e6eb84685d7a6ca0e40c17d575
SHA512

08e46be059022861fa9909303ab83bef4cf917d711b1b2054640d33eac64a57a242181f73f8cbf3034e8615f319034a44fba8ac3065183a70b0e5cd02000d9ff
SSDEEP

24576:khlynSEg/rfZI1/wicY0hFo8150dkM++cp+VD3:SlmGG15oht2ss

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 49 IoCs

pid	Process
2364	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
2260	p16hIwD.exe
2380	p16hIwD.exe
772	p16hIwD.exe
2368	p16hIwD.exe
1808	p16hIwD.exe
2644	p16hIwD.exe
1220	p16hIwD.exe
792	p16hIwD.exe
2600	p16hIwD.exe
2036	p16hIwD.exe
1904	p16hIwD.exe
2212	p16hIwD.exe
612	p16hIwD.exe
3040	p16hIwD.exe
1348	p16hIwD.exe
2348	p16hIwD.exe
2988	p16hIwD.exe
2180	p16hIwD.exe
2620	p16hIwD.exe
2668	p16hIwD.exe
2880	p16hIwD.exe
1640	p16hIwD.exe
2692	p16hIwD.exe
1732	p16hIwD.exe
1720	p16hIwD.exe
2388	p16hIwD.exe
2528	p16hIwD.exe
2900	p16hIwD.exe
2788	p16hIwD.exe
2952	p16hIwD.exe
1628	p16hIwD.exe
956	p16hIwD.exe
264	p16hIwD.exe

Loads dropped DLL 64 IoCs

pid	Process
2364	p16hIwD.exe
2364	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe
2260	p16hIwD.exe
2260	p16hIwD.exe
2380	p16hIwD.exe
2380	p16hIwD.exe
772	p16hIwD.exe
772	p16hIwD.exe
2368	p16hIwD.exe
2368	p16hIwD.exe
1808	p16hIwD.exe
1808	p16hIwD.exe
2644	p16hIwD.exe
2644	p16hIwD.exe
1220	p16hIwD.exe
1220	p16hIwD.exe
792	p16hIwD.exe
792	p16hIwD.exe
2600	p16hIwD.exe
2600	p16hIwD.exe
2036	p16hIwD.exe
2036	p16hIwD.exe
1904	p16hIwD.exe
1904	p16hIwD.exe
2212	p16hIwD.exe
2212	p16hIwD.exe
612	p16hIwD.exe
612	p16hIwD.exe
3040	p16hIwD.exe
3040	p16hIwD.exe
1348	p16hIwD.exe
1348	p16hIwD.exe
2348	p16hIwD.exe
2348	p16hIwD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001879f-14.dat	nsis_installer_1
behavioral1/files/0x000600000001879f-14.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	p16hIwD.exe
2364	p16hIwD.exe
2364	p16hIwD.exe
2364	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe

Suspicious behavior: MapViewOfSection 58 IoCs

pid	Process
2364	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
2260	p16hIwD.exe
2260	p16hIwD.exe
2380	p16hIwD.exe
772	p16hIwD.exe
2368	p16hIwD.exe
1808	p16hIwD.exe
2644	p16hIwD.exe
1220	p16hIwD.exe
792	p16hIwD.exe
2600	p16hIwD.exe
2036	p16hIwD.exe
1904	p16hIwD.exe
2212	p16hIwD.exe
612	p16hIwD.exe
3040	p16hIwD.exe
1348	p16hIwD.exe
2348	p16hIwD.exe
2988	p16hIwD.exe
2180	p16hIwD.exe
2180	p16hIwD.exe
2620	p16hIwD.exe
2668	p16hIwD.exe
2668	p16hIwD.exe
2880	p16hIwD.exe
1640	p16hIwD.exe
2692	p16hIwD.exe
1732	p16hIwD.exe
1720	p16hIwD.exe
2388	p16hIwD.exe
2528	p16hIwD.exe
2900	p16hIwD.exe
2788	p16hIwD.exe
2952	p16hIwD.exe
1628	p16hIwD.exe
956	p16hIwD.exe
264	p16hIwD.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2364	2552	java.exe	31
PID 2552 wrote to memory of 2364	2552	java.exe	31
PID 2552 wrote to memory of 2364	2552	java.exe	31
PID 2552 wrote to memory of 2364	2552	java.exe	31
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	32
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	32
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	32
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	32
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	32
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	35
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	35
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	35
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	35
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	36
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	36
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	36
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	36
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	36
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	37
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	37
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	37
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	37
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	38
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	38
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	38
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	38
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	38
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	39
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	39
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	39
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	39
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	40
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	40
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	40
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	40
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	40
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	41
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	41
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	41
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	41
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	42
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	42
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	42
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	42
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	42
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	43
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	43
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	43
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	43
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	44
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	44
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	44
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	44
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	44
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	45
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	45
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	45
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	45
PID 988 wrote to memory of 1736	988	p16hIwD.exe	46
PID 988 wrote to memory of 1736	988	p16hIwD.exe	46
PID 988 wrote to memory of 1736	988	p16hIwD.exe	46
PID 988 wrote to memory of 1736	988	p16hIwD.exe	46
PID 988 wrote to memory of 1736	988	p16hIwD.exe	46
PID 988 wrote to memory of 2840	988	p16hIwD.exe	47

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\09000000000000000.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\p16hIwD.exe
  C:\Users\Admin\p16hIwD.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Users\Admin\p16hIwD.exe
    3⤵
    PID:2340
- - C:\Users\Admin\p16hIwD.exe
    C:\Users\Admin\p16hIwD.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Users\Admin\p16hIwD.exe
      4⤵
      PID:1632
  - - C:\Users\Admin\p16hIwD.exe
      C:\Users\Admin\p16hIwD.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        5⤵
        
        PID:1952
    - - C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        6⤵
        
        PID:1812
      - C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        7⤵
        
        PID:1796
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        8⤵
        
        PID:2104
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        9⤵
        
        PID:1736
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        10⤵
        
        PID:1636
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        11⤵
        
        PID:2100
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        12⤵
        
        PID:1664
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1992
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        13⤵
        
        PID:1348
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        14⤵
        
        PID:2972
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        15⤵
        
        PID:2240
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        16⤵
        
        PID:640
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        17⤵
        
        PID:2868
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        18⤵
        
        PID:2160
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        19⤵
        
        PID:2872
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        20⤵
        
        PID:2140
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        21⤵
        
        PID:1644
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        22⤵
        
        PID:1424
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        23⤵
        
        PID:2628
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        24⤵
        
        PID:856
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        25⤵
        
        PID:1844
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        26⤵
        
        PID:1428
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        27⤵
        
        PID:2948
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        28⤵
        
        PID:1536
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        29⤵
        
        PID:1764
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        30⤵
        
        PID:904
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        31⤵
        
        PID:644
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        32⤵
        
        PID:2200
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        33⤵
        
        PID:1028
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        34⤵
        
        PID:540
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        34⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        35⤵
        
        PID:2408
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        36⤵
        
        PID:2420
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        36⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        37⤵
        
        PID:2340
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        38⤵
        
        PID:2764
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        38⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        39⤵
        
        PID:2616
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        40⤵
        
        PID:2380
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        40⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        41⤵
        
        PID:3052
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        42⤵
        
        PID:2368
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        42⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        43⤵
        
        PID:2656
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        44⤵
        
        PID:2484
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        44⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        45⤵
        
        PID:2624
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        46⤵
        
        PID:2648
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        46⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        47⤵
        
        PID:2312
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        48⤵
        
        PID:2492
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        48⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        49⤵
        
        PID:1140
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        50⤵
        
        PID:936
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        50⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        51⤵
        
        PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mgirpv.tv

Filesize
680KB

MD5
cd7d8b1aa4b140c2c472d95f210489be

SHA1
1f220c9c7c8e89594737e7ce35ef832e6d050e52

SHA256
d6ef9a0263fe11cfbbcf787292b699f227b843010fabafecb492c8e048635d04

SHA512
cc9ad09c4584b7fba1a3580ed392f3243dfc6f28f32a482420658922653ba3f2dbfae07e8a350d05652d0df21204c6428d56ce2a701399b50a001c3d4213d6a9

Download Submit
C:\Users\Admin\p16hIwD.exe

Filesize
742KB

MD5
4a7839a3df1f6ddfe599b2db6ac68849

SHA1
7c6ff25e863f118080ba3e32456aa7efb4dd6a93

SHA256
143cd94e43f3988d20e7cb621184e4d1031175e2c11e6d64ee9d00e01750bd82

SHA512
088ba6c450007c85955dac9f42f7a55178e0a16e853b10f91bf9cbb6fe9c9666d721aad111ae37b17d09dfe8ade38b35e18e2f00b37ac0ddeaaef70e76e5cda7

Download Submit
\Users\Admin\AppData\Local\Temp\5yfe66gfii9aud.dll

Filesize
23KB

MD5
7cc0f4a9693723bcfdccfb3ab0336cc4

SHA1
08e4d23651c45064369f61622625b44b926d55d5

SHA256
0a8ca816133bd54cfcf867b08466ef637a34ec05cc8b2f6c5a25790fa6cb2945

SHA512
85651944816c7f2a2e304d0b48b24d24374a66cb4687097644c546f44a55971aadba67e31fbc69bf5ac61183959ddc8fc1c9ca460ced5e9b530d72f8f29febff

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD4EC.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/920-170-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1060-240-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1680-68-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1680-70-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1704-84-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1808-286-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2364-28-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2552-36-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2552-37-0x0000000002640000-0x00000000028B0000-memory.dmp

Filesize
2.4MB

Download
memory/2552-32-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2552-10-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x0000000002640000-0x00000000028B0000-memory.dmp

Filesize
2.4MB

Download
memory/2676-113-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2692-54-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2692-52-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2988-395-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2988-396-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download