Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:07
Static task
static1
Behavioral task
behavioral1
Sample
a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe
Resource
win10v2004-20231215-en
General
-
Target
a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe
-
Size
367KB
-
MD5
47003e6a14a32ce0c0a7a83d1cf5cfe8
-
SHA1
5bca37d70d3cc7da571d6b37f6d345162f55e9a0
-
SHA256
a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7
-
SHA512
a2c47ce4cee1d867ba61debe8c8a06c2610a38bcbbeaf195268ae83a81ff3e18043ad724fd2bfb78f8a26a661d478a9674acfaa7c305ebcf730c04aa354e659b
-
SSDEEP
6144:/rTfUHeeSKOS9ccFKk3Y9t9YZ9wA36TVgoD/4qtv+j:/n8yN0Mr8Z9BqTVgoD4K2j
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 52 IoCs
resource yara_rule behavioral1/files/0x000c0000000167ef-1.dat UPX behavioral1/memory/1936-8-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1936-12-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2936-16-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2580-21-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-20-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2632-22-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2496-26-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2624-28-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2384-31-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2408-38-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2376-39-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2436-41-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2132-47-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/864-53-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1240-55-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2412-45-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1240-57-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2608-59-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2608-60-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2116-65-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1516-67-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2144-72-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2128-80-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1792-78-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1564-73-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2272-85-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2024-94-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-95-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2704-100-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1616-108-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1936-110-0x00000000044F0000-0x0000000005799000-memory.dmp UPX behavioral1/memory/2912-96-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2560-90-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2128-82-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2244-51-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2412-42-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/2144-114-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-115-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-119-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-120-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-127-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-128-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-136-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-137-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-143-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-144-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-152-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-153-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-165-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-166-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX behavioral1/memory/1732-179-0x0000000000400000-0x00000000016A8E52-memory.dmp UPX -
Executes dropped EXE 16 IoCs
pid Process 1732 Isass.exe 2936 Isass.exe 2632 Isass.exe 2624 Isass.exe 2408 Isass.exe 2436 Isass.exe 2132 Isass.exe 864 Isass.exe 2608 Isass.exe 1516 Isass.exe 1564 Isass.exe 2128 Isass.exe 2560 Isass.exe 2912 Isass.exe 1616 Isass.exe 1948 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe -
Loads dropped DLL 23 IoCs
pid Process 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2384 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2376 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2412 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2244 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1240 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2116 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2144 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1792 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2272 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2024 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2704 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1616 Isass.exe 1732 Isass.exe 1732 Isass.exe 1732 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1732 Isass.exe 2936 Isass.exe 2936 Isass.exe 2936 Isass.exe 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2632 Isass.exe 2632 Isass.exe 2632 Isass.exe 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2624 Isass.exe 2624 Isass.exe 2624 Isass.exe 2384 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2408 Isass.exe 2408 Isass.exe 2408 Isass.exe 2376 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2436 Isass.exe 2436 Isass.exe 2436 Isass.exe 2412 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2132 Isass.exe 2132 Isass.exe 2132 Isass.exe 2244 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 864 Isass.exe 864 Isass.exe 864 Isass.exe 1240 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2608 Isass.exe 2608 Isass.exe 2608 Isass.exe 2116 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1516 Isass.exe 1516 Isass.exe 1516 Isass.exe 2144 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1564 Isass.exe 1564 Isass.exe 1564 Isass.exe 1792 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2128 Isass.exe 2128 Isass.exe 2128 Isass.exe 2272 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2560 Isass.exe 2560 Isass.exe 2560 Isass.exe 2024 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 2912 Isass.exe 2912 Isass.exe 2912 Isass.exe 2704 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 1616 Isass.exe 1616 Isass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1732 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 28 PID 1936 wrote to memory of 1732 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 28 PID 1936 wrote to memory of 1732 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 28 PID 1936 wrote to memory of 1732 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 28 PID 1936 wrote to memory of 2936 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 29 PID 1936 wrote to memory of 2936 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 29 PID 1936 wrote to memory of 2936 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 29 PID 1936 wrote to memory of 2936 1936 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 29 PID 2936 wrote to memory of 2580 2936 Isass.exe 30 PID 2936 wrote to memory of 2580 2936 Isass.exe 30 PID 2936 wrote to memory of 2580 2936 Isass.exe 30 PID 2936 wrote to memory of 2580 2936 Isass.exe 30 PID 2580 wrote to memory of 2632 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 31 PID 2580 wrote to memory of 2632 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 31 PID 2580 wrote to memory of 2632 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 31 PID 2580 wrote to memory of 2632 2580 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 31 PID 2632 wrote to memory of 2496 2632 Isass.exe 32 PID 2632 wrote to memory of 2496 2632 Isass.exe 32 PID 2632 wrote to memory of 2496 2632 Isass.exe 32 PID 2632 wrote to memory of 2496 2632 Isass.exe 32 PID 2496 wrote to memory of 2624 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 33 PID 2496 wrote to memory of 2624 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 33 PID 2496 wrote to memory of 2624 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 33 PID 2496 wrote to memory of 2624 2496 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 33 PID 2624 wrote to memory of 2384 2624 Isass.exe 34 PID 2624 wrote to memory of 2384 2624 Isass.exe 34 PID 2624 wrote to memory of 2384 2624 Isass.exe 34 PID 2624 wrote to memory of 2384 2624 Isass.exe 34 PID 2384 wrote to memory of 2408 2384 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 35 PID 2384 wrote to memory of 2408 2384 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 35 PID 2384 wrote to memory of 2408 2384 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 35 PID 2384 wrote to memory of 2408 2384 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 35 PID 2408 wrote to memory of 2376 2408 Isass.exe 36 PID 2408 wrote to memory of 2376 2408 Isass.exe 36 PID 2408 wrote to memory of 2376 2408 Isass.exe 36 PID 2408 wrote to memory of 2376 2408 Isass.exe 36 PID 2376 wrote to memory of 2436 2376 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 37 PID 2376 wrote to memory of 2436 2376 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 37 PID 2376 wrote to memory of 2436 2376 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 37 PID 2376 wrote to memory of 2436 2376 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 37 PID 2436 wrote to memory of 2412 2436 Isass.exe 38 PID 2436 wrote to memory of 2412 2436 Isass.exe 38 PID 2436 wrote to memory of 2412 2436 Isass.exe 38 PID 2436 wrote to memory of 2412 2436 Isass.exe 38 PID 2412 wrote to memory of 2132 2412 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 39 PID 2412 wrote to memory of 2132 2412 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 39 PID 2412 wrote to memory of 2132 2412 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 39 PID 2412 wrote to memory of 2132 2412 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 39 PID 2132 wrote to memory of 2244 2132 Isass.exe 40 PID 2132 wrote to memory of 2244 2132 Isass.exe 40 PID 2132 wrote to memory of 2244 2132 Isass.exe 40 PID 2132 wrote to memory of 2244 2132 Isass.exe 40 PID 2244 wrote to memory of 864 2244 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 41 PID 2244 wrote to memory of 864 2244 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 41 PID 2244 wrote to memory of 864 2244 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 41 PID 2244 wrote to memory of 864 2244 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 41 PID 864 wrote to memory of 1240 864 Isass.exe 42 PID 864 wrote to memory of 1240 864 Isass.exe 42 PID 864 wrote to memory of 1240 864 Isass.exe 42 PID 864 wrote to memory of 1240 864 Isass.exe 42 PID 1240 wrote to memory of 2608 1240 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 43 PID 1240 wrote to memory of 2608 1240 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 43 PID 1240 wrote to memory of 2608 1240 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 43 PID 1240 wrote to memory of 2608 1240 a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"11⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"17⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"19⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"21⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1792 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"23⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"25⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"27⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe"29⤵
- Executes dropped EXE
PID:1948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a861cf11db05c018ac8074c1aaba4a165c8f262fd9e968eda282da0ede9726b7.exe
Filesize143KB
MD538f108cddb6619fba80f8382d5227ece
SHA112fd277bf756f22cfae3043900e4aff8b9f05ed9
SHA2568296fe257b8c34398e3f291764454ec3cd9cbe06d60989b632ef4ba6c73ae5dc
SHA5123db732c23f10122c78cffc6b6a5b11836ade1a23f5c6f9a192f2be2fa99c5bd7afb7a9e29c5d518a888cdd2091f9ac41b244214be226152830e96f5ec2cca424
-
Filesize
216KB
MD5a92fd1818bc42eb1711028effd4bd1bd
SHA1f5ffb2e8578588b5445d98d31936c644c10d9388
SHA2562dfe42e4a995abebe4d67009205c3b2274afe39fc796bf22e23832edc0564847
SHA51280d8fc9b1369d644bd362bd8f4d5ebdad041d083ef994797429cd5ffb9a3a19005600f1869eb884d49cb81a191f5233efa6fd79562463372bbb095c52f21fa59