7554ddb13cc50c4f95a64e655b0aec126a2a6d6073cdea6305efb00a52e4d4d1

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-09-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hyperbeam.exe
Size

145.0MB
MD5

16be127ba5c4d3dc2daab53cf952ad7a
SHA1

adb1a41519fcd5e6952425726bd8d239bdfa1483
SHA256

c27942559e94bfe4700aa2b120e0149a674085f42862b51d02657203cfcd3395
SHA512

938d0714d4ee7c490fb6a0af667b0cb0c9c79fc8953dbdb60312cc5d9417057efd74021fe0ce3e5bf8214416fc53638262522987884b9cd9a78f3bd53cdc4f5b
SSDEEP

3145728:UurFg3J+jK5+AcnuhAKoUj7HjGSq5RvjWS05RYkmn:frFg3J+jK5+AcnuhAKoUj7HjGSq5kzYp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1016	Hyperbeam.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam\ = "URL:hyperbeam"	Hyperbeam.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam\shell\open\command	Hyperbeam.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam\shell	Hyperbeam.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam\shell\open	Hyperbeam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hyperbeam.exe\" \"%1\""	Hyperbeam.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam	Hyperbeam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\hyperbeam\URL Protocol	Hyperbeam.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Hyperbeam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Hyperbeam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Hyperbeam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Hyperbeam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Hyperbeam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Hyperbeam.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1588	Hyperbeam.exe
1588	Hyperbeam.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe
Token: SeShutdownPrivilege	1016	Hyperbeam.exe
Token: SeCreatePagefilePrivilege	1016	Hyperbeam.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1016	Hyperbeam.exe
1016	Hyperbeam.exe
1016	Hyperbeam.exe
1016	Hyperbeam.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1016	Hyperbeam.exe
1016	Hyperbeam.exe
1016	Hyperbeam.exe
1016	Hyperbeam.exe
1016	Hyperbeam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 3776	1016	Hyperbeam.exe	78
PID 1016 wrote to memory of 2684	1016	Hyperbeam.exe	79
PID 1016 wrote to memory of 2684	1016	Hyperbeam.exe	79
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80
PID 1016 wrote to memory of 4976	1016	Hyperbeam.exe	80

C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe
"C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperbeam" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1692,i,1863287699462261238,5757541470024096957,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3776
- C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperbeam" --mojo-platform-channel-handle=1976 --field-trial-handle=1692,i,1863287699462261238,5757541470024096957,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperbeam" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2220 --field-trial-handle=1692,i,1863287699462261238,5757541470024096957,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyperbeam.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\hyperbeam" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2648 --field-trial-handle=1692,i,1863287699462261238,5757541470024096957,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d8f5a831-5a37-489e-a2d1-0282ed5ee290.tmp.node

Filesize
495KB

MD5
2451dbaaa5c1b21da03be4fb0fb8c3fc

SHA1
900809bc256be20cbed09db625e2a67d623d18ed

SHA256
c19cc096eee9424ec00aaba8b2756613e9b5dc7f1559bc7141acbd18ce4cc79b

SHA512
9586e8fb84405450ebb5ce5bc909c70e0d9a79af8474029f225c0a987a3c18230b54feeb864016d56eeacd1ac496fa213f0ad621f0b78a2bc7990683cc4c67bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Cache\Cache_Data\f_000004

Filesize
53KB

MD5
7601d7faa3b49a6e2032ce5c8232a7ef

SHA1
577415dfc9ee0720efb61107f47624ff46478f41

SHA256
a81dc86c4c91cba18ebdc35761a2826480611f1368134650e48de4dec04fffe5

SHA512
3672a0ff8a2cc697e263aa073725d4111933148d38ba5817c2f4348245d2bec0ae1e96b1fd9eb13874285350484d12b7964ac7fb72956876d6436dc2aecef956

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f15705e37e07bbb26debadd131478487

SHA1
4a0a8542c48386570b988e43441d3f7e87e2519c

SHA256
8b64903c133fea47df3570076b90b14f94f9747b1c3a5c5c317b9157bff4c6c7

SHA512
0a4aaaeb541cf41db4cd22ba7cb9a39a9f06eb6bd88f6f9ade4641a842e77b3ba3dec32c9e96e6dd9d5fcf47bc8fe1d7b9ba2060a555485a4887ffeb4c983136

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Code Cache\js\index-dir\the-real-index~RFe57d9a7.TMP

Filesize
48B

MD5
c4f2176228d6578a9aaf21d15d3eb8c7

SHA1
cc006019caca91dd85d89ce6b749391a52c82eaa

SHA256
fe1e4b2a5541935c0dc1470d303fb04800928ca993dd51b98bf57dcfb81c3b20

SHA512
06ea93c7661c9392e64b98eb27103cc913c02f662a1ee01802984dc000fb9661cc06fde339b0f5e8c07db71066b095e2378d2a0a0b7fb6017ec50dd603d8ebcd

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Network\Network Persistent State

Filesize
835B

MD5
bf7c16d987dfe54bfada1dc01ee4e399

SHA1
41c373587eca6e9652b32425b3de99e72ce2db36

SHA256
2af627d34e8f8b08aef3cf6532a320fed307bdb326796b49ffa3b57b18b54e0f

SHA512
21d1f2047501dfcab1d48999c13707dca67995fae6dc23893868f853570ec0e91b2d7c0e28b05cfc4816f1917d5aea74f10a0760917c7be905a43e6f5a9d3480

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Network\Network Persistent State~RFe587fe9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Preferences~RFe57972f.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\CacheStorage\3a3ef770bfb7ff7305a15868ae01c49399715c03\51332288-00d9-48d3-80de-b326e06838e6\index-dir\the-real-index

Filesize
1KB

MD5
76e1353d0865e45820ca1ae569d03788

SHA1
a31e3ec244d000c369d013f68a49b55aed86b00a

SHA256
f3d73f503c29ecc1a8990865b668bc6b982438c311594820ceaa6bb137785504

SHA512
44caafdea0b3fca490869160ea7ec8e3c21989d580801e2e2db3f173acade9b2fcb9dbbbe99f4dd494bcc214e219b4913ca61618a71534f6e6d6dc365ac5f120

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\CacheStorage\3a3ef770bfb7ff7305a15868ae01c49399715c03\51332288-00d9-48d3-80de-b326e06838e6\index-dir\the-real-index~RFe57dd02.TMP

Filesize
48B

MD5
d59ac47adb51bec35f0ef8dc7c2777de

SHA1
86af25fd71cedde66ce80ccaa1d4b91fd46b87cf

SHA256
35cf0fbb108b2bc3b4aa98ac8024b23926f8693d6e911c57cad4c1880c31608e

SHA512
730059bd47c4631b9dc0c93a4480f7f15db4392956f5f0568f71e552589fb558efe5b4f1708bab6f94771d0f77a18fcefb3c05e1db5a8248212186f84ee75b1c

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\CacheStorage\3a3ef770bfb7ff7305a15868ae01c49399715c03\index.txt

Filesize
121B

MD5
f8fc4b66bcb7d1fec1485ed77db3cd4b

SHA1
d58fbdf8c0d046ad4c23c18e72c7e4b4da01d392

SHA256
0109a0001218c93655be5d91031a369dc2f37783b9dc0980bf8695c5601e7505

SHA512
d1a0a4f1bf93e4e7afb3c75531736bfba36ff0fc195f63ae0f03519c5d603c330a9418918e2c6d33d47c0742d60b68bbb3fae9dfe713d4de949d70ce1163390e

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\CacheStorage\3a3ef770bfb7ff7305a15868ae01c49399715c03\index.txt~RFe57dd40.TMP

Filesize
125B

MD5
d1b76e300febaab256b906e873b95f68

SHA1
e0e92c6f75e311c3a518ce7e328bf14eba150657

SHA256
446768cc9cf6be96313e7e5474377567b7a7ede992348b1dd711372539a93e8c

SHA512
b457305309139da1b2ccd2796e70f879fadb25aeff1d8afd7d0dd75fc4bcf808710d634feb989446b565e7ea9667955ae3cc370922c1dbac4e7daf4d75c13265

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fc6ea203cf2117e800fb32003638ae6a

SHA1
c45bc9e1536d0c74f3f5946c3dd1e6aee817c24f

SHA256
77a5e3693001d2dcc3465bb7f79e458bd243c30a2bb523aec42ed9ec0df4a0d6

SHA512
398e0d0632bd1678a06cb1ed1f4ea49e4b138d77cd2ef7dd5a1b485caabf4da8fb20d23b93960a6cb7fca5c2a208028d14d7a68cef2f8d6fdef538d78dc237d8

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bff4.TMP

Filesize
48B

MD5
55d11d0edf44ecaa4ba8c02e9b920461

SHA1
6f547b903dbac618692337cb16c232f6c2aa0e84

SHA256
e18001f31f20abe883f9306c1e946b259b307e7545f39da6ee560eeb80ff2241

SHA512
34eddf6c366bcf521d316a8e88a341fb12ad6c5ab1c4064114fae8aadb44a32e2a18c2d654d2c2ccae5d0bcc1dbd40708bb21ce690934c7c25ff0a3e76e53863

Download Submit
C:\Users\Admin\AppData\Roaming\hyperbeam\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/1588-415-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-425-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-420-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-421-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-423-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-413-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-414-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-424-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-419-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/1588-422-0x000002491D7E0000-0x000002491D7E1000-memory.dmp

Filesize
4KB

Download
memory/3776-6-0x00007FF9B0600000-0x00007FF9B0601000-memory.dmp

Filesize
4KB

Download
memory/3776-335-0x0000018534010000-0x00000185340AE000-memory.dmp

Filesize
632KB

Download
memory/4976-336-0x000001C661660000-0x000001C6616FE000-memory.dmp

Filesize
632KB

Download
memory/4976-17-0x00007FF9B01F0000-0x00007FF9B01F1000-memory.dmp

Filesize
4KB

Download
memory/4976-14-0x00007FF9B0610000-0x00007FF9B0611000-memory.dmp

Filesize
4KB

Download