47d6ee7ee359441ff76499d1827b6dbbe2746997a9194eaa3931b10328d59584

General

Target

09000000000000000.jar
Size

905KB
MD5

5842335503404a570eb9263542504d63
SHA1

505cce556054c1a2c6a59a6f3203c6d0cda8b7fc
SHA256

6cadc1a284604c4ec3ba8655e5b933bc7df036e6eb84685d7a6ca0e40c17d575
SHA512

08e46be059022861fa9909303ab83bef4cf917d711b1b2054640d33eac64a57a242181f73f8cbf3034e8615f319034a44fba8ac3065183a70b0e5cd02000d9ff
SSDEEP

24576:khlynSEg/rfZI1/wicY0hFo8150dkM++cp+VD3:SlmGG15oht2ss

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 49 IoCs

Processes:

p16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

pid	process
2364	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
2260	p16hIwD.exe
2380	p16hIwD.exe
772	p16hIwD.exe
2368	p16hIwD.exe
1808	p16hIwD.exe
2644	p16hIwD.exe
1220	p16hIwD.exe
792	p16hIwD.exe
2600	p16hIwD.exe
2036	p16hIwD.exe
1904	p16hIwD.exe
2212	p16hIwD.exe
612	p16hIwD.exe
3040	p16hIwD.exe
1348	p16hIwD.exe
2348	p16hIwD.exe
2988	p16hIwD.exe
2180	p16hIwD.exe
2620	p16hIwD.exe
2668	p16hIwD.exe
2880	p16hIwD.exe
1640	p16hIwD.exe
2692	p16hIwD.exe
1732	p16hIwD.exe
1720	p16hIwD.exe
2388	p16hIwD.exe
2528	p16hIwD.exe
2900	p16hIwD.exe
2788	p16hIwD.exe
2952	p16hIwD.exe
1628	p16hIwD.exe
956	p16hIwD.exe
264	p16hIwD.exe

Loads dropped DLL 64 IoCs

Processes:

p16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

pid	process
2364	p16hIwD.exe
2364	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe
2260	p16hIwD.exe
2260	p16hIwD.exe
2380	p16hIwD.exe
2380	p16hIwD.exe
772	p16hIwD.exe
772	p16hIwD.exe
2368	p16hIwD.exe
2368	p16hIwD.exe
1808	p16hIwD.exe
1808	p16hIwD.exe
2644	p16hIwD.exe
2644	p16hIwD.exe
1220	p16hIwD.exe
1220	p16hIwD.exe
792	p16hIwD.exe
792	p16hIwD.exe
2600	p16hIwD.exe
2600	p16hIwD.exe
2036	p16hIwD.exe
2036	p16hIwD.exe
1904	p16hIwD.exe
1904	p16hIwD.exe
2212	p16hIwD.exe
2212	p16hIwD.exe
612	p16hIwD.exe
612	p16hIwD.exe
3040	p16hIwD.exe
3040	p16hIwD.exe
1348	p16hIwD.exe
1348	p16hIwD.exe
2348	p16hIwD.exe
2348	p16hIwD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\p16hIwD.exe	nsis_installer_1
C:\Users\Admin\p16hIwD.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

p16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

pid	process
2364	p16hIwD.exe
2364	p16hIwD.exe
2364	p16hIwD.exe
2364	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe
1060	p16hIwD.exe

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

p16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

pid	process
2364	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe
1680	p16hIwD.exe
1704	p16hIwD.exe
1844	p16hIwD.exe
2676	p16hIwD.exe
988	p16hIwD.exe
988	p16hIwD.exe
2840	p16hIwD.exe
2512	p16hIwD.exe
920	p16hIwD.exe
920	p16hIwD.exe
1992	p16hIwD.exe
1992	p16hIwD.exe
540	p16hIwD.exe
540	p16hIwD.exe
576	p16hIwD.exe
1404	p16hIwD.exe
1968	p16hIwD.exe
1968	p16hIwD.exe
1060	p16hIwD.exe
2260	p16hIwD.exe
2260	p16hIwD.exe
2380	p16hIwD.exe
772	p16hIwD.exe
2368	p16hIwD.exe
1808	p16hIwD.exe
2644	p16hIwD.exe
1220	p16hIwD.exe
792	p16hIwD.exe
2600	p16hIwD.exe
2036	p16hIwD.exe
1904	p16hIwD.exe
2212	p16hIwD.exe
612	p16hIwD.exe
3040	p16hIwD.exe
1348	p16hIwD.exe
2348	p16hIwD.exe
2988	p16hIwD.exe
2180	p16hIwD.exe
2180	p16hIwD.exe
2620	p16hIwD.exe
2668	p16hIwD.exe
2668	p16hIwD.exe
2880	p16hIwD.exe
1640	p16hIwD.exe
2692	p16hIwD.exe
1732	p16hIwD.exe
1720	p16hIwD.exe
2388	p16hIwD.exe
2528	p16hIwD.exe
2900	p16hIwD.exe
2788	p16hIwD.exe
2952	p16hIwD.exe
1628	p16hIwD.exe
956	p16hIwD.exe
264	p16hIwD.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

2552 java.exe

pid	process
2552	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

description	pid	process	target process
PID 2552 wrote to memory of 2364	2552	java.exe	p16hIwD.exe
PID 2552 wrote to memory of 2364	2552	java.exe	p16hIwD.exe
PID 2552 wrote to memory of 2364	2552	java.exe	p16hIwD.exe
PID 2552 wrote to memory of 2364	2552	java.exe	p16hIwD.exe
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	MSBuild.exe
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	MSBuild.exe
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	MSBuild.exe
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	MSBuild.exe
PID 2364 wrote to memory of 2340	2364	p16hIwD.exe	MSBuild.exe
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	p16hIwD.exe
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	p16hIwD.exe
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	p16hIwD.exe
PID 2364 wrote to memory of 2692	2364	p16hIwD.exe	p16hIwD.exe
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	MSBuild.exe
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	MSBuild.exe
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	MSBuild.exe
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	MSBuild.exe
PID 2692 wrote to memory of 1632	2692	p16hIwD.exe	MSBuild.exe
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	p16hIwD.exe
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	p16hIwD.exe
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	p16hIwD.exe
PID 2692 wrote to memory of 1680	2692	p16hIwD.exe	p16hIwD.exe
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	MSBuild.exe
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	MSBuild.exe
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	MSBuild.exe
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	MSBuild.exe
PID 1680 wrote to memory of 1952	1680	p16hIwD.exe	MSBuild.exe
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	p16hIwD.exe
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	p16hIwD.exe
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	p16hIwD.exe
PID 1680 wrote to memory of 1704	1680	p16hIwD.exe	p16hIwD.exe
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	MSBuild.exe
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	MSBuild.exe
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	MSBuild.exe
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	MSBuild.exe
PID 1704 wrote to memory of 1812	1704	p16hIwD.exe	MSBuild.exe
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	p16hIwD.exe
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	p16hIwD.exe
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	p16hIwD.exe
PID 1704 wrote to memory of 1844	1704	p16hIwD.exe	p16hIwD.exe
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	MSBuild.exe
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	MSBuild.exe
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	MSBuild.exe
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	MSBuild.exe
PID 1844 wrote to memory of 1796	1844	p16hIwD.exe	MSBuild.exe
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	p16hIwD.exe
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	p16hIwD.exe
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	p16hIwD.exe
PID 1844 wrote to memory of 2676	1844	p16hIwD.exe	p16hIwD.exe
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	MSBuild.exe
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	MSBuild.exe
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	MSBuild.exe
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	MSBuild.exe
PID 2676 wrote to memory of 2104	2676	p16hIwD.exe	MSBuild.exe
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	p16hIwD.exe
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	p16hIwD.exe
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	p16hIwD.exe
PID 2676 wrote to memory of 988	2676	p16hIwD.exe	p16hIwD.exe
PID 988 wrote to memory of 1736	988	p16hIwD.exe	MSBuild.exe
PID 988 wrote to memory of 1736	988	p16hIwD.exe	MSBuild.exe
PID 988 wrote to memory of 1736	988	p16hIwD.exe	MSBuild.exe
PID 988 wrote to memory of 1736	988	p16hIwD.exe	MSBuild.exe
PID 988 wrote to memory of 1736	988	p16hIwD.exe	MSBuild.exe
PID 988 wrote to memory of 2840	988	p16hIwD.exe	p16hIwD.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\09000000000000000.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
3⤵
PID:2340

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
4⤵
PID:1632

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
5⤵
PID:1952

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
6⤵
PID:1812

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
7⤵
PID:1796

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
8⤵
PID:2104

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
9⤵
PID:1736

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
10⤵
PID:1636

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
11⤵
PID:2100

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
12⤵
PID:1664

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
13⤵
PID:1348

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
14⤵
PID:2972

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
15⤵
PID:2240

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
16⤵
PID:640

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
17⤵
PID:2868

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
18⤵
PID:2160

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
19⤵
PID:2872

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
20⤵
PID:2140

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
21⤵
PID:1644

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
22⤵
PID:1424

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
23⤵
PID:2628

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
24⤵
PID:856

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
25⤵
PID:1844

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
26⤵
PID:1428

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
27⤵
PID:2948

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
28⤵
PID:1536

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
29⤵
PID:1764

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
30⤵
PID:904

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
31⤵
PID:644

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
32⤵
PID:2200

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
33⤵
PID:1028

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
34⤵
PID:540

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
34⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
35⤵
PID:2408

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
35⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
36⤵
PID:2420

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
36⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
37⤵
PID:2340

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
37⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
38⤵
PID:2764

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
38⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
39⤵
PID:2616

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
39⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
40⤵
PID:2380

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
40⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
41⤵
PID:3052

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
41⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
42⤵
PID:2368

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
42⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
43⤵
PID:2656

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
43⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
44⤵
PID:2484

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
44⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
45⤵
PID:2624

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
45⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
46⤵
PID:2648

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
46⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
47⤵
PID:2312

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
47⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
48⤵
PID:2492

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
48⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
49⤵
PID:1140

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
49⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
50⤵
PID:936

C:\Users\Admin\p16hIwD.exe
C:\Users\Admin\p16hIwD.exe
50⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\p16hIwD.exe
51⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mgirpv.tv

Filesize
680KB

MD5
cd7d8b1aa4b140c2c472d95f210489be

SHA1
1f220c9c7c8e89594737e7ce35ef832e6d050e52

SHA256
d6ef9a0263fe11cfbbcf787292b699f227b843010fabafecb492c8e048635d04

SHA512
cc9ad09c4584b7fba1a3580ed392f3243dfc6f28f32a482420658922653ba3f2dbfae07e8a350d05652d0df21204c6428d56ce2a701399b50a001c3d4213d6a9

Download Submit
C:\Users\Admin\p16hIwD.exe

Filesize
742KB

MD5
4a7839a3df1f6ddfe599b2db6ac68849

SHA1
7c6ff25e863f118080ba3e32456aa7efb4dd6a93

SHA256
143cd94e43f3988d20e7cb621184e4d1031175e2c11e6d64ee9d00e01750bd82

SHA512
088ba6c450007c85955dac9f42f7a55178e0a16e853b10f91bf9cbb6fe9c9666d721aad111ae37b17d09dfe8ade38b35e18e2f00b37ac0ddeaaef70e76e5cda7

Download Submit
\Users\Admin\AppData\Local\Temp\5yfe66gfii9aud.dll

Filesize
23KB

MD5
7cc0f4a9693723bcfdccfb3ab0336cc4

SHA1
08e4d23651c45064369f61622625b44b926d55d5

SHA256
0a8ca816133bd54cfcf867b08466ef637a34ec05cc8b2f6c5a25790fa6cb2945

SHA512
85651944816c7f2a2e304d0b48b24d24374a66cb4687097644c546f44a55971aadba67e31fbc69bf5ac61183959ddc8fc1c9ca460ced5e9b530d72f8f29febff

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD4EC.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/920-170-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1060-240-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1680-68-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1680-70-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1704-84-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1808-286-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2364-28-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2552-36-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2552-37-0x0000000002640000-0x00000000028B0000-memory.dmp

Filesize
2.4MB

Download
memory/2552-32-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2552-10-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2552-2-0x0000000002640000-0x00000000028B0000-memory.dmp

Filesize
2.4MB

Download
memory/2676-113-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2692-54-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2692-52-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2988-395-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2988-396-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads