fef9364a82823b9d1a9dbee06a202bd7914c6414a8857311ec338fbd2eb2261c

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pay09809988.exe
Size

452KB
MD5

dc83500f11eef58ddbb21c9dd2d17729
SHA1

46b0de105332e090806d5e95f38ee0a33c10ad3b
SHA256

2160a2fba2efc22751b82cebb9d4ce21dfe35782cfb21bbf512687f413b80e65
SHA512

b1289ae61523b0e170a434361e727bf5e0e0043c4596214b4823e6c961ace6a61b796adcbd459cbdcddab3c7d9ff3236ad81a9d88f8a9ca31206a90fb1c127ad
SSDEEP

12288:RH06XwKIhiXX1oJMdqvEu6XFhCQxy1Hex/pKAQb9NsAm:9frX1oJwqvEujh2xiBm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 64 IoCs

Processes:

pid	process
2184	pay09809988.exe
2184	pay09809988.exe
1976	pay09809988.exe
1976	pay09809988.exe
2836	pay09809988.exe
2836	pay09809988.exe
2752	pay09809988.exe
2752	pay09809988.exe
1424	pay09809988.exe
1424	pay09809988.exe
2940	pay09809988.exe
2940	pay09809988.exe
2564	pay09809988.exe
2564	pay09809988.exe
944	pay09809988.exe
944	pay09809988.exe
2616	pay09809988.exe
2616	pay09809988.exe
1780	pay09809988.exe
1780	pay09809988.exe
3036	pay09809988.exe
3036	pay09809988.exe
700	pay09809988.exe
700	pay09809988.exe
560	pay09809988.exe
560	pay09809988.exe
2464	pay09809988.exe
2464	pay09809988.exe
1604	pay09809988.exe
1604	pay09809988.exe
2660	pay09809988.exe
2660	pay09809988.exe
2024	pay09809988.exe
2024	pay09809988.exe
1616	pay09809988.exe
1616	pay09809988.exe
1184	pay09809988.exe
1184	pay09809988.exe
2832	pay09809988.exe
2832	pay09809988.exe
3008	pay09809988.exe
3008	pay09809988.exe
2768	pay09809988.exe
2768	pay09809988.exe
2656	pay09809988.exe
2656	pay09809988.exe
1700	pay09809988.exe
1700	pay09809988.exe
3068	pay09809988.exe
3068	pay09809988.exe
2940	pay09809988.exe
2940	pay09809988.exe
1584	pay09809988.exe
1584	pay09809988.exe
2916	pay09809988.exe
2916	pay09809988.exe
1560	pay09809988.exe
1560	pay09809988.exe
2236	pay09809988.exe
2236	pay09809988.exe
2536	pay09809988.exe
2536	pay09809988.exe
600	pay09809988.exe
600	pay09809988.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2184	pay09809988.exe
2184	pay09809988.exe
2184	pay09809988.exe
2184	pay09809988.exe
1976	pay09809988.exe
1976	pay09809988.exe
1976	pay09809988.exe
1976	pay09809988.exe
2836	pay09809988.exe
2836	pay09809988.exe
2836	pay09809988.exe
2836	pay09809988.exe
2752	pay09809988.exe
2752	pay09809988.exe
2752	pay09809988.exe
2752	pay09809988.exe
1424	pay09809988.exe
1424	pay09809988.exe
1424	pay09809988.exe
1424	pay09809988.exe
2940	pay09809988.exe
2940	pay09809988.exe
2940	pay09809988.exe
2940	pay09809988.exe
2564	pay09809988.exe
2564	pay09809988.exe
2564	pay09809988.exe
2564	pay09809988.exe
944	pay09809988.exe
944	pay09809988.exe
944	pay09809988.exe
944	pay09809988.exe
2616	pay09809988.exe
2616	pay09809988.exe
2616	pay09809988.exe
2616	pay09809988.exe
1780	pay09809988.exe
1780	pay09809988.exe
1780	pay09809988.exe
1780	pay09809988.exe
3036	pay09809988.exe
3036	pay09809988.exe
3036	pay09809988.exe
3036	pay09809988.exe
700	pay09809988.exe
700	pay09809988.exe
700	pay09809988.exe
700	pay09809988.exe
560	pay09809988.exe
560	pay09809988.exe
560	pay09809988.exe
560	pay09809988.exe
2464	pay09809988.exe
2464	pay09809988.exe
2464	pay09809988.exe
2464	pay09809988.exe
1604	pay09809988.exe
1604	pay09809988.exe
1604	pay09809988.exe
1604	pay09809988.exe
2660	pay09809988.exe
2660	pay09809988.exe
2660	pay09809988.exe
2660	pay09809988.exe

Suspicious behavior: MapViewOfSection 60 IoCs

Processes:

pay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exe

pid	process
2184	pay09809988.exe
1976	pay09809988.exe
2836	pay09809988.exe
2836	pay09809988.exe
2752	pay09809988.exe
1424	pay09809988.exe
2940	pay09809988.exe
2564	pay09809988.exe
2564	pay09809988.exe
944	pay09809988.exe
2616	pay09809988.exe
1780	pay09809988.exe
1780	pay09809988.exe
3036	pay09809988.exe
700	pay09809988.exe
560	pay09809988.exe
2464	pay09809988.exe
1604	pay09809988.exe
2660	pay09809988.exe
2660	pay09809988.exe
2024	pay09809988.exe
1616	pay09809988.exe
1184	pay09809988.exe
2832	pay09809988.exe
3008	pay09809988.exe
3008	pay09809988.exe
2768	pay09809988.exe
2656	pay09809988.exe
1700	pay09809988.exe
3068	pay09809988.exe
2940	pay09809988.exe
2940	pay09809988.exe
1584	pay09809988.exe
2916	pay09809988.exe
1560	pay09809988.exe
2236	pay09809988.exe
2536	pay09809988.exe
600	pay09809988.exe
1484	pay09809988.exe
1484	pay09809988.exe
408	pay09809988.exe
1712	pay09809988.exe
2464	pay09809988.exe
988	pay09809988.exe
2264	pay09809988.exe
1752	pay09809988.exe
2724	pay09809988.exe
2732	pay09809988.exe
2732	pay09809988.exe
2168	pay09809988.exe
2168	pay09809988.exe
2604	pay09809988.exe
2596	pay09809988.exe
2768	pay09809988.exe
2360	pay09809988.exe
2360	pay09809988.exe
1424	pay09809988.exe
2136	pay09809988.exe
2956	pay09809988.exe
2956	pay09809988.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exepay09809988.exe

description	pid	process	target process
PID 2184 wrote to memory of 2424	2184	pay09809988.exe	MSBuild.exe
PID 2184 wrote to memory of 2424	2184	pay09809988.exe	MSBuild.exe
PID 2184 wrote to memory of 2424	2184	pay09809988.exe	MSBuild.exe
PID 2184 wrote to memory of 2424	2184	pay09809988.exe	MSBuild.exe
PID 2184 wrote to memory of 2424	2184	pay09809988.exe	MSBuild.exe
PID 2184 wrote to memory of 1976	2184	pay09809988.exe	pay09809988.exe
PID 2184 wrote to memory of 1976	2184	pay09809988.exe	pay09809988.exe
PID 2184 wrote to memory of 1976	2184	pay09809988.exe	pay09809988.exe
PID 2184 wrote to memory of 1976	2184	pay09809988.exe	pay09809988.exe
PID 1976 wrote to memory of 2880	1976	pay09809988.exe	MSBuild.exe
PID 1976 wrote to memory of 2880	1976	pay09809988.exe	MSBuild.exe
PID 1976 wrote to memory of 2880	1976	pay09809988.exe	MSBuild.exe
PID 1976 wrote to memory of 2880	1976	pay09809988.exe	MSBuild.exe
PID 1976 wrote to memory of 2880	1976	pay09809988.exe	MSBuild.exe
PID 1976 wrote to memory of 2836	1976	pay09809988.exe	pay09809988.exe
PID 1976 wrote to memory of 2836	1976	pay09809988.exe	pay09809988.exe
PID 1976 wrote to memory of 2836	1976	pay09809988.exe	pay09809988.exe
PID 1976 wrote to memory of 2836	1976	pay09809988.exe	pay09809988.exe
PID 2836 wrote to memory of 1316	2836	pay09809988.exe	MSBuild.exe
PID 2836 wrote to memory of 1316	2836	pay09809988.exe	MSBuild.exe
PID 2836 wrote to memory of 1316	2836	pay09809988.exe	MSBuild.exe
PID 2836 wrote to memory of 1316	2836	pay09809988.exe	MSBuild.exe
PID 2836 wrote to memory of 1316	2836	pay09809988.exe	MSBuild.exe
PID 2836 wrote to memory of 2752	2836	pay09809988.exe	pay09809988.exe
PID 2836 wrote to memory of 2752	2836	pay09809988.exe	pay09809988.exe
PID 2836 wrote to memory of 2752	2836	pay09809988.exe	pay09809988.exe
PID 2836 wrote to memory of 2752	2836	pay09809988.exe	pay09809988.exe
PID 2752 wrote to memory of 2652	2752	pay09809988.exe	MSBuild.exe
PID 2752 wrote to memory of 2652	2752	pay09809988.exe	MSBuild.exe
PID 2752 wrote to memory of 2652	2752	pay09809988.exe	MSBuild.exe
PID 2752 wrote to memory of 2652	2752	pay09809988.exe	MSBuild.exe
PID 2752 wrote to memory of 2652	2752	pay09809988.exe	MSBuild.exe
PID 2752 wrote to memory of 1424	2752	pay09809988.exe	pay09809988.exe
PID 2752 wrote to memory of 1424	2752	pay09809988.exe	pay09809988.exe
PID 2752 wrote to memory of 1424	2752	pay09809988.exe	pay09809988.exe
PID 2752 wrote to memory of 1424	2752	pay09809988.exe	pay09809988.exe
PID 1424 wrote to memory of 2976	1424	pay09809988.exe	MSBuild.exe
PID 1424 wrote to memory of 2976	1424	pay09809988.exe	MSBuild.exe
PID 1424 wrote to memory of 2976	1424	pay09809988.exe	MSBuild.exe
PID 1424 wrote to memory of 2976	1424	pay09809988.exe	MSBuild.exe
PID 1424 wrote to memory of 2976	1424	pay09809988.exe	MSBuild.exe
PID 1424 wrote to memory of 2940	1424	pay09809988.exe	pay09809988.exe
PID 1424 wrote to memory of 2940	1424	pay09809988.exe	pay09809988.exe
PID 1424 wrote to memory of 2940	1424	pay09809988.exe	pay09809988.exe
PID 1424 wrote to memory of 2940	1424	pay09809988.exe	pay09809988.exe
PID 2940 wrote to memory of 2140	2940	pay09809988.exe	MSBuild.exe
PID 2940 wrote to memory of 2140	2940	pay09809988.exe	MSBuild.exe
PID 2940 wrote to memory of 2140	2940	pay09809988.exe	MSBuild.exe
PID 2940 wrote to memory of 2140	2940	pay09809988.exe	MSBuild.exe
PID 2940 wrote to memory of 2140	2940	pay09809988.exe	MSBuild.exe
PID 2940 wrote to memory of 2564	2940	pay09809988.exe	pay09809988.exe
PID 2940 wrote to memory of 2564	2940	pay09809988.exe	pay09809988.exe
PID 2940 wrote to memory of 2564	2940	pay09809988.exe	pay09809988.exe
PID 2940 wrote to memory of 2564	2940	pay09809988.exe	pay09809988.exe
PID 2564 wrote to memory of 708	2564	pay09809988.exe	MSBuild.exe
PID 2564 wrote to memory of 708	2564	pay09809988.exe	MSBuild.exe
PID 2564 wrote to memory of 708	2564	pay09809988.exe	MSBuild.exe
PID 2564 wrote to memory of 708	2564	pay09809988.exe	MSBuild.exe
PID 2564 wrote to memory of 708	2564	pay09809988.exe	MSBuild.exe
PID 2564 wrote to memory of 944	2564	pay09809988.exe	pay09809988.exe
PID 2564 wrote to memory of 944	2564	pay09809988.exe	pay09809988.exe
PID 2564 wrote to memory of 944	2564	pay09809988.exe	pay09809988.exe
PID 2564 wrote to memory of 944	2564	pay09809988.exe	pay09809988.exe
PID 944 wrote to memory of 2788	944	pay09809988.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
2⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
3⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
4⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
5⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
6⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
7⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
8⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
9⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
10⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
11⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
11⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
12⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
13⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
14⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
14⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
15⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
16⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
16⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
17⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
17⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
18⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
18⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
19⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
19⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
20⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
20⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
21⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
21⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
22⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
22⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
23⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
23⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
24⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
24⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
25⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
25⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
26⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
26⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
27⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
27⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
28⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
28⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
29⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
29⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
30⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
30⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
31⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
31⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
32⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
32⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
33⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
33⤵
- Suspicious behavior: MapViewOfSection
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
34⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
34⤵
- Suspicious behavior: MapViewOfSection
PID:408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
35⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
35⤵
- Suspicious behavior: MapViewOfSection
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
36⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
36⤵
- Suspicious behavior: MapViewOfSection
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
37⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
37⤵
- Suspicious behavior: MapViewOfSection
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
38⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
38⤵
- Suspicious behavior: MapViewOfSection
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
39⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
39⤵
- Suspicious behavior: MapViewOfSection
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
40⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
40⤵
- Suspicious behavior: MapViewOfSection
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
41⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
41⤵
- Suspicious behavior: MapViewOfSection
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
42⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
42⤵
- Suspicious behavior: MapViewOfSection
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
43⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
43⤵
- Suspicious behavior: MapViewOfSection
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
44⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
44⤵
- Suspicious behavior: MapViewOfSection
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
45⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
45⤵
- Suspicious behavior: MapViewOfSection
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
46⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
46⤵
- Suspicious behavior: MapViewOfSection
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
47⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
47⤵
- Suspicious behavior: MapViewOfSection
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
48⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
48⤵
- Suspicious behavior: MapViewOfSection
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
49⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\pay09809988.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
49⤵
- Suspicious behavior: MapViewOfSection
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\pay09809988.exe"
50⤵
PID:2636

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mybuttxxxt.xff
Filesize
395KB

MD5
fab8080f79362b1ee8439686b6362c81

SHA1
051216d918734d447a11c92dc1df297bab7fc9f9

SHA256
09ca4092c88681c26d4ef899333913d078e9bd33c5ff86d4ae245c67f5361ddf

SHA512
c2247e2e5793207be1f1d8e9343894c25f9f74ec7b9e59bd5c62dc2ebfb2d9e145ab6fef2e9c817843d074f0cc78c594c21cd1ea390eb40b6d7ef3e4d725ad5f

Download Submit
\Users\Admin\AppData\Local\Temp\jy2091qep.dll
Filesize
18KB

MD5
a393df2af4708ff2592687ff4ee343b9

SHA1
19b5212fc5dbd673f7e4f78c52b6c0ea33121d85

SHA256
eea2ac27c7db126176b9cbf245328c9acb06665995f1212cc28792304ca3f6f5

SHA512
b960e1ad593a17d94cacec2ef4e30c1b17b69469e3f1a0b26d992dce1ef697078a466bd1bde5779373bae6ff5b35c39a13f818c03c4a3a3eacda051b44ea0491

Download Submit
\Users\Admin\AppData\Local\Temp\nsy18CF.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1560-332-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1976-26-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2184-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2184-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2264-415-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2264-414-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2564-95-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2604-461-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2752-55-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2836-41-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2836-40-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads