6cadc1a284604c4ec3ba8655e5b933bc7df036e6eb84685d7a6ca0e40c17d575

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-07-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5842335503404a570eb9263542504d63_JaffaCakes118.jar
Size

905KB
MD5

5842335503404a570eb9263542504d63
SHA1

505cce556054c1a2c6a59a6f3203c6d0cda8b7fc
SHA256

6cadc1a284604c4ec3ba8655e5b933bc7df036e6eb84685d7a6ca0e40c17d575
SHA512

08e46be059022861fa9909303ab83bef4cf917d711b1b2054640d33eac64a57a242181f73f8cbf3034e8615f319034a44fba8ac3065183a70b0e5cd02000d9ff
SSDEEP

24576:khlynSEg/rfZI1/wicY0hFo8150dkM++cp+VD3:SlmGG15oht2ss

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 48 IoCs

Processes:

p16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

pid	Process
1860	p16hIwD.exe
2624	p16hIwD.exe
1800	p16hIwD.exe
864	p16hIwD.exe
1040	p16hIwD.exe
2928	p16hIwD.exe
2264	p16hIwD.exe
1628	p16hIwD.exe
2100	p16hIwD.exe
1020	p16hIwD.exe
3004	p16hIwD.exe
2116	p16hIwD.exe
2088	p16hIwD.exe
2956	p16hIwD.exe
1664	p16hIwD.exe
2396	p16hIwD.exe
1716	p16hIwD.exe
2560	p16hIwD.exe
1776	p16hIwD.exe
2180	p16hIwD.exe
2000	p16hIwD.exe
856	p16hIwD.exe
2708	p16hIwD.exe
496	p16hIwD.exe
1228	p16hIwD.exe
1388	p16hIwD.exe
1748	p16hIwD.exe
2272	p16hIwD.exe
2060	p16hIwD.exe
1828	p16hIwD.exe
1588	p16hIwD.exe
2692	p16hIwD.exe
2132	p16hIwD.exe
2328	p16hIwD.exe
1664	p16hIwD.exe
2412	p16hIwD.exe
1716	p16hIwD.exe
2560	p16hIwD.exe
2488	p16hIwD.exe
2180	p16hIwD.exe
696	p16hIwD.exe
2260	p16hIwD.exe
576	p16hIwD.exe
408	p16hIwD.exe
2204	p16hIwD.exe
2484	p16hIwD.exe
1864	p16hIwD.exe
584	p16hIwD.exe

Loads dropped DLL 64 IoCs

Processes:

pid	Process
1860	p16hIwD.exe
1860	p16hIwD.exe
2624	p16hIwD.exe
2624	p16hIwD.exe
1800	p16hIwD.exe
1800	p16hIwD.exe
864	p16hIwD.exe
864	p16hIwD.exe
1040	p16hIwD.exe
1040	p16hIwD.exe
2928	p16hIwD.exe
2928	p16hIwD.exe
2264	p16hIwD.exe
2264	p16hIwD.exe
1628	p16hIwD.exe
1628	p16hIwD.exe
2100	p16hIwD.exe
2100	p16hIwD.exe
1020	p16hIwD.exe
1020	p16hIwD.exe
3004	p16hIwD.exe
3004	p16hIwD.exe
2116	p16hIwD.exe
2116	p16hIwD.exe
2088	p16hIwD.exe
2088	p16hIwD.exe
2956	p16hIwD.exe
2956	p16hIwD.exe
1664	p16hIwD.exe
1664	p16hIwD.exe
2396	p16hIwD.exe
2396	p16hIwD.exe
1716	p16hIwD.exe
1716	p16hIwD.exe
2560	p16hIwD.exe
2560	p16hIwD.exe
1776	p16hIwD.exe
1776	p16hIwD.exe
2180	p16hIwD.exe
2180	p16hIwD.exe
2000	p16hIwD.exe
2000	p16hIwD.exe
856	p16hIwD.exe
856	p16hIwD.exe
2708	p16hIwD.exe
2708	p16hIwD.exe
496	p16hIwD.exe
496	p16hIwD.exe
1228	p16hIwD.exe
1228	p16hIwD.exe
1388	p16hIwD.exe
1388	p16hIwD.exe
1748	p16hIwD.exe
1748	p16hIwD.exe
2272	p16hIwD.exe
2272	p16hIwD.exe
2060	p16hIwD.exe
2060	p16hIwD.exe
1828	p16hIwD.exe
1828	p16hIwD.exe
1588	p16hIwD.exe
1588	p16hIwD.exe
2692	p16hIwD.exe
2692	p16hIwD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016de9-14.dat	nsis_installer_1
behavioral1/files/0x0008000000016de9-14.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

p16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

pid	Process
1860	p16hIwD.exe
1860	p16hIwD.exe
1860	p16hIwD.exe
1860	p16hIwD.exe
2624	p16hIwD.exe
2624	p16hIwD.exe
2624	p16hIwD.exe
2624	p16hIwD.exe
1800	p16hIwD.exe
1800	p16hIwD.exe
1800	p16hIwD.exe
1800	p16hIwD.exe
864	p16hIwD.exe
864	p16hIwD.exe
864	p16hIwD.exe
864	p16hIwD.exe
1040	p16hIwD.exe
1040	p16hIwD.exe
1040	p16hIwD.exe
1040	p16hIwD.exe
2928	p16hIwD.exe
2928	p16hIwD.exe
2928	p16hIwD.exe
2928	p16hIwD.exe
2264	p16hIwD.exe
2264	p16hIwD.exe
2264	p16hIwD.exe
2264	p16hIwD.exe
1628	p16hIwD.exe
1628	p16hIwD.exe
1628	p16hIwD.exe
1628	p16hIwD.exe
2100	p16hIwD.exe
2100	p16hIwD.exe
2100	p16hIwD.exe
2100	p16hIwD.exe
1020	p16hIwD.exe
1020	p16hIwD.exe
1020	p16hIwD.exe
1020	p16hIwD.exe
3004	p16hIwD.exe
3004	p16hIwD.exe
3004	p16hIwD.exe
3004	p16hIwD.exe
2116	p16hIwD.exe
2116	p16hIwD.exe
2116	p16hIwD.exe
2116	p16hIwD.exe
2088	p16hIwD.exe
2088	p16hIwD.exe
2088	p16hIwD.exe
2088	p16hIwD.exe
2956	p16hIwD.exe
2956	p16hIwD.exe
2956	p16hIwD.exe
2956	p16hIwD.exe
1664	p16hIwD.exe
1664	p16hIwD.exe
1664	p16hIwD.exe
1664	p16hIwD.exe
2396	p16hIwD.exe
2396	p16hIwD.exe
2396	p16hIwD.exe
2396	p16hIwD.exe

Suspicious behavior: MapViewOfSection 60 IoCs

Processes:

pid	Process
1860	p16hIwD.exe
2624	p16hIwD.exe
1800	p16hIwD.exe
864	p16hIwD.exe
864	p16hIwD.exe
1040	p16hIwD.exe
2928	p16hIwD.exe
2928	p16hIwD.exe
2264	p16hIwD.exe
2264	p16hIwD.exe
1628	p16hIwD.exe
1628	p16hIwD.exe
2100	p16hIwD.exe
1020	p16hIwD.exe
1020	p16hIwD.exe
3004	p16hIwD.exe
2116	p16hIwD.exe
2088	p16hIwD.exe
2956	p16hIwD.exe
1664	p16hIwD.exe
2396	p16hIwD.exe
2396	p16hIwD.exe
1716	p16hIwD.exe
2560	p16hIwD.exe
1776	p16hIwD.exe
2180	p16hIwD.exe
2000	p16hIwD.exe
856	p16hIwD.exe
2708	p16hIwD.exe
2708	p16hIwD.exe
496	p16hIwD.exe
496	p16hIwD.exe
1228	p16hIwD.exe
1388	p16hIwD.exe
1748	p16hIwD.exe
2272	p16hIwD.exe
2060	p16hIwD.exe
2060	p16hIwD.exe
1828	p16hIwD.exe
1828	p16hIwD.exe
1588	p16hIwD.exe
2692	p16hIwD.exe
2132	p16hIwD.exe
2328	p16hIwD.exe
1664	p16hIwD.exe
2412	p16hIwD.exe
1716	p16hIwD.exe
2560	p16hIwD.exe
2488	p16hIwD.exe
2488	p16hIwD.exe
2180	p16hIwD.exe
696	p16hIwD.exe
2260	p16hIwD.exe
2260	p16hIwD.exe
576	p16hIwD.exe
408	p16hIwD.exe
2204	p16hIwD.exe
2484	p16hIwD.exe
1864	p16hIwD.exe
584	p16hIwD.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid	Process
2572	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exep16hIwD.exe

description	pid	Process	procid_target
PID 2572 wrote to memory of 1860	2572	java.exe	31
PID 2572 wrote to memory of 1860	2572	java.exe	31
PID 2572 wrote to memory of 1860	2572	java.exe	31
PID 2572 wrote to memory of 1860	2572	java.exe	31
PID 1860 wrote to memory of 2492	1860	p16hIwD.exe	32
PID 1860 wrote to memory of 2492	1860	p16hIwD.exe	32
PID 1860 wrote to memory of 2492	1860	p16hIwD.exe	32
PID 1860 wrote to memory of 2492	1860	p16hIwD.exe	32
PID 1860 wrote to memory of 2492	1860	p16hIwD.exe	32
PID 1860 wrote to memory of 2624	1860	p16hIwD.exe	34
PID 1860 wrote to memory of 2624	1860	p16hIwD.exe	34
PID 1860 wrote to memory of 2624	1860	p16hIwD.exe	34
PID 1860 wrote to memory of 2624	1860	p16hIwD.exe	34
PID 2624 wrote to memory of 2072	2624	p16hIwD.exe	35
PID 2624 wrote to memory of 2072	2624	p16hIwD.exe	35
PID 2624 wrote to memory of 2072	2624	p16hIwD.exe	35
PID 2624 wrote to memory of 2072	2624	p16hIwD.exe	35
PID 2624 wrote to memory of 2072	2624	p16hIwD.exe	35
PID 2624 wrote to memory of 1800	2624	p16hIwD.exe	36
PID 2624 wrote to memory of 1800	2624	p16hIwD.exe	36
PID 2624 wrote to memory of 1800	2624	p16hIwD.exe	36
PID 2624 wrote to memory of 1800	2624	p16hIwD.exe	36
PID 1800 wrote to memory of 484	1800	p16hIwD.exe	37
PID 1800 wrote to memory of 484	1800	p16hIwD.exe	37
PID 1800 wrote to memory of 484	1800	p16hIwD.exe	37
PID 1800 wrote to memory of 484	1800	p16hIwD.exe	37
PID 1800 wrote to memory of 484	1800	p16hIwD.exe	37
PID 1800 wrote to memory of 864	1800	p16hIwD.exe	38
PID 1800 wrote to memory of 864	1800	p16hIwD.exe	38
PID 1800 wrote to memory of 864	1800	p16hIwD.exe	38
PID 1800 wrote to memory of 864	1800	p16hIwD.exe	38
PID 864 wrote to memory of 1196	864	p16hIwD.exe	39
PID 864 wrote to memory of 1196	864	p16hIwD.exe	39
PID 864 wrote to memory of 1196	864	p16hIwD.exe	39
PID 864 wrote to memory of 1196	864	p16hIwD.exe	39
PID 864 wrote to memory of 1196	864	p16hIwD.exe	39
PID 864 wrote to memory of 1040	864	p16hIwD.exe	41
PID 864 wrote to memory of 1040	864	p16hIwD.exe	41
PID 864 wrote to memory of 1040	864	p16hIwD.exe	41
PID 864 wrote to memory of 1040	864	p16hIwD.exe	41
PID 1040 wrote to memory of 3000	1040	p16hIwD.exe	42
PID 1040 wrote to memory of 3000	1040	p16hIwD.exe	42
PID 1040 wrote to memory of 3000	1040	p16hIwD.exe	42
PID 1040 wrote to memory of 3000	1040	p16hIwD.exe	42
PID 1040 wrote to memory of 3000	1040	p16hIwD.exe	42
PID 1040 wrote to memory of 2928	1040	p16hIwD.exe	43
PID 1040 wrote to memory of 2928	1040	p16hIwD.exe	43
PID 1040 wrote to memory of 2928	1040	p16hIwD.exe	43
PID 1040 wrote to memory of 2928	1040	p16hIwD.exe	43
PID 2928 wrote to memory of 576	2928	p16hIwD.exe	44
PID 2928 wrote to memory of 576	2928	p16hIwD.exe	44
PID 2928 wrote to memory of 576	2928	p16hIwD.exe	44
PID 2928 wrote to memory of 576	2928	p16hIwD.exe	44
PID 2928 wrote to memory of 576	2928	p16hIwD.exe	44
PID 2928 wrote to memory of 2264	2928	p16hIwD.exe	45
PID 2928 wrote to memory of 2264	2928	p16hIwD.exe	45
PID 2928 wrote to memory of 2264	2928	p16hIwD.exe	45
PID 2928 wrote to memory of 2264	2928	p16hIwD.exe	45
PID 2264 wrote to memory of 408	2264	p16hIwD.exe	46
PID 2264 wrote to memory of 408	2264	p16hIwD.exe	46
PID 2264 wrote to memory of 408	2264	p16hIwD.exe	46
PID 2264 wrote to memory of 408	2264	p16hIwD.exe	46
PID 2264 wrote to memory of 408	2264	p16hIwD.exe	46
PID 2264 wrote to memory of 1628	2264	p16hIwD.exe	47

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\5842335503404a570eb9263542504d63_JaffaCakes118.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\p16hIwD.exe
  C:\Users\Admin\p16hIwD.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Users\Admin\p16hIwD.exe
    3⤵
    PID:2492
- - C:\Users\Admin\p16hIwD.exe
    C:\Users\Admin\p16hIwD.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Users\Admin\p16hIwD.exe
      4⤵
      PID:2072
  - - C:\Users\Admin\p16hIwD.exe
      C:\Users\Admin\p16hIwD.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        5⤵
        
        PID:484
    - - C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        6⤵
        
        PID:1196
      - C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        7⤵
        
        PID:3000
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        8⤵
        
        PID:576
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        9⤵
        
        PID:408
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        10⤵
        
        PID:1604
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        11⤵
        
        PID:1784
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        12⤵
        
        PID:2996
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        13⤵
        
        PID:1032
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        14⤵
        
        PID:1696
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        15⤵
        
        PID:2804
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2956
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        16⤵
        
        PID:2156
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        17⤵
        
        PID:2364
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        18⤵
        
        PID:2312
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        19⤵
        
        PID:2732
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        20⤵
        
        PID:596
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        21⤵
        
        PID:320
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        22⤵
        
        PID:2152
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        23⤵
        
        PID:1416
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        24⤵
        
        PID:2252
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        25⤵
        
        PID:2296
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        26⤵
        
        PID:992
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        27⤵
        
        PID:1100
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        28⤵
        
        PID:1360
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        29⤵
        
        PID:928
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        30⤵
        
        PID:2996
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        31⤵
        
        PID:1036
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        32⤵
        
        PID:2380
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:1588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        33⤵
        
        PID:904
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: MapViewOfSection
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        34⤵
        
        PID:2856
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        34⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2132
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        35⤵
        
        PID:852
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        36⤵
        
        PID:2552
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        36⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        37⤵
        
        PID:2572
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        37⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        38⤵
        
        PID:3032
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        38⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        39⤵
        
        PID:1316
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        40⤵
        
        PID:1980
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        40⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        41⤵
        
        PID:1704
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        41⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        42⤵
        
        PID:2300
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        42⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        43⤵
        
        PID:1968
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        43⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        44⤵
        
        PID:2888
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        44⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        45⤵
        
        PID:1116
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        45⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        46⤵
        
        PID:1492
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        46⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        47⤵
        
        PID:936
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        48⤵
        
        PID:964
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        48⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        49⤵
        
        PID:1756
        
        C:\Users\Admin\p16hIwD.exe
        
        C:\Users\Admin\p16hIwD.exe
        49⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Users\Admin\p16hIwD.exe
        50⤵
        
        PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5yfe66gfii9aud.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgirpv.tv

Filesize
680KB

MD5
cd7d8b1aa4b140c2c472d95f210489be

SHA1
1f220c9c7c8e89594737e7ce35ef832e6d050e52

SHA256
d6ef9a0263fe11cfbbcf787292b699f227b843010fabafecb492c8e048635d04

SHA512
cc9ad09c4584b7fba1a3580ed392f3243dfc6f28f32a482420658922653ba3f2dbfae07e8a350d05652d0df21204c6428d56ce2a701399b50a001c3d4213d6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgirpv.tv

Filesize
96KB

MD5
26c5fbc230122099a30a8e403a1190da

SHA1
03c4af1a6964652a20680d563f666f3eb2f849b8

SHA256
7b7e9c7790241e28dd999d8b43ca5f1736fad7c52edad1ddc3e9aae9d939a302

SHA512
0de36128f74fa0badd2ae58ddeba24af17facb7792069f6cea0a2ca5884fb3be5d51767e8f48a5384fd2f706e7cc806bb4540ceea9af75679daedee56318bade

Download Submit
C:\Users\Admin\p16hIwD.exe

Filesize
742KB

MD5
4a7839a3df1f6ddfe599b2db6ac68849

SHA1
7c6ff25e863f118080ba3e32456aa7efb4dd6a93

SHA256
143cd94e43f3988d20e7cb621184e4d1031175e2c11e6d64ee9d00e01750bd82

SHA512
088ba6c450007c85955dac9f42f7a55178e0a16e853b10f91bf9cbb6fe9c9666d721aad111ae37b17d09dfe8ade38b35e18e2f00b37ac0ddeaaef70e76e5cda7

Download Submit
\Users\Admin\AppData\Local\Temp\5yfe66gfii9aud.dll

Filesize
23KB

MD5
7cc0f4a9693723bcfdccfb3ab0336cc4

SHA1
08e4d23651c45064369f61622625b44b926d55d5

SHA256
0a8ca816133bd54cfcf867b08466ef637a34ec05cc8b2f6c5a25790fa6cb2945

SHA512
85651944816c7f2a2e304d0b48b24d24374a66cb4687097644c546f44a55971aadba67e31fbc69bf5ac61183959ddc8fc1c9ca460ced5e9b530d72f8f29febff

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA008.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/696-474-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/864-85-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/864-87-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1040-101-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1628-148-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1628-146-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1748-346-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1800-68-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1800-71-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1860-31-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1860-39-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2264-131-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2328-410-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2572-2-0x00000000025A0000-0x0000000002810000-memory.dmp

Filesize
2.4MB

Download
memory/2572-37-0x00000000025A0000-0x0000000002810000-memory.dmp

Filesize
2.4MB

Download
memory/2572-36-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-32-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/2572-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2624-55-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2624-53-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2928-116-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3004-190-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3004-192-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download