Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:49
Static task
static1
Behavioral task
behavioral1
Sample
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe
Resource
win10v2004-20240226-en
General
-
Target
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe
-
Size
276KB
-
MD5
5f982f95a3b1529f43d3b1150c4b4489
-
SHA1
9d1ec5115b2ec1ee79cbc0cb2cc470a75049ea31
-
SHA256
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0
-
SHA512
7c568a2e2d9bc19d19aab93f9302f0d133890445a41d281ecfe885c4128dc012da9264c5809672f5a09ff96c108c922dd382a6164d343f69274eb086cfe554c4
-
SSDEEP
6144:9rTfUHeeSKOS9ccFKk3Y9t9YxVPAAIFE6:9n8yN0Mr8Qk6
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 57 IoCs
Processes:
resource yara_rule \Users\Public\Microsoft Build\Isass.exe UPX behavioral1/memory/856-12-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/856-11-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2796-15-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-16-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/3024-21-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/3024-22-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2648-24-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2652-32-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2716-33-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2716-37-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2728-40-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2624-39-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2452-46-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2532-48-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2900-49-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2900-52-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1628-56-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2752-59-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2884-62-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2276-63-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-65-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2276-67-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1304-70-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1364-78-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1656-75-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2172-83-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1704-85-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2704-91-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1604-94-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1540-99-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1520-101-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1520-102-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1540-96-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2108-104-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2052-111-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2948-113-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2948-115-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1748-119-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/600-123-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/600-122-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-125-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1188-127-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/1188-133-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-151-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-153-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-160-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-161-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-169-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-170-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-176-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-177-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-185-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-186-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-194-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-195-0x0000000000400000-0x00000000016A8000-memory.dmp UPX behavioral1/memory/2312-207-0x0000000000400000-0x00000000016A8000-memory.dmp UPX -
Executes dropped EXE 17 IoCs
Processes:
Isass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exepid process 2312 Isass.exe 2796 Isass.exe 2648 Isass.exe 2716 Isass.exe 2624 Isass.exe 2532 Isass.exe 1628 Isass.exe 2884 Isass.exe 1304 Isass.exe 1364 Isass.exe 1704 Isass.exe 1604 Isass.exe 1520 Isass.exe 2052 Isass.exe 1748 Isass.exe 1188 Isass.exe 2080 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe -
Loads dropped DLL 22 IoCs
Processes:
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exeIsass.exepid process 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2728 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2452 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2900 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2752 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2276 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1656 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2172 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2704 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1540 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2108 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2948 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 600 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1188 Isass.exe 2312 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe -
Drops file in Windows directory 2 IoCs
Processes:
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe File created C:\Windows\assembly\GACLock.dat 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exepid process 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2312 Isass.exe 2796 Isass.exe 2796 Isass.exe 2796 Isass.exe 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2648 Isass.exe 2648 Isass.exe 2648 Isass.exe 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2716 Isass.exe 2716 Isass.exe 2716 Isass.exe 2728 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2624 Isass.exe 2624 Isass.exe 2624 Isass.exe 2452 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2532 Isass.exe 2532 Isass.exe 2532 Isass.exe 2900 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1628 Isass.exe 1628 Isass.exe 1628 Isass.exe 2752 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2884 Isass.exe 2884 Isass.exe 2884 Isass.exe 2276 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1304 Isass.exe 1304 Isass.exe 1304 Isass.exe 1656 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1364 Isass.exe 1364 Isass.exe 1364 Isass.exe 2172 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1704 Isass.exe 1704 Isass.exe 1704 Isass.exe 2704 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1604 Isass.exe 1604 Isass.exe 1604 Isass.exe 1540 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1520 Isass.exe 1520 Isass.exe 1520 Isass.exe 2108 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 2052 Isass.exe 2052 Isass.exe 2052 Isass.exe 2948 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1748 Isass.exe 1748 Isass.exe 1748 Isass.exe 600 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe 1188 Isass.exe 1188 Isass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exeIsass.exe2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exedescription pid process target process PID 856 wrote to memory of 2312 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2312 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2312 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2312 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2796 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2796 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2796 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 856 wrote to memory of 2796 856 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2796 wrote to memory of 3024 2796 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2796 wrote to memory of 3024 2796 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2796 wrote to memory of 3024 2796 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2796 wrote to memory of 3024 2796 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 3024 wrote to memory of 2648 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 3024 wrote to memory of 2648 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 3024 wrote to memory of 2648 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 3024 wrote to memory of 2648 3024 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2648 wrote to memory of 2652 2648 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2648 wrote to memory of 2652 2648 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2648 wrote to memory of 2652 2648 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2648 wrote to memory of 2652 2648 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2652 wrote to memory of 2716 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2652 wrote to memory of 2716 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2652 wrote to memory of 2716 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2652 wrote to memory of 2716 2652 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2716 wrote to memory of 2728 2716 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2716 wrote to memory of 2728 2716 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2716 wrote to memory of 2728 2716 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2716 wrote to memory of 2728 2716 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2728 wrote to memory of 2624 2728 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2728 wrote to memory of 2624 2728 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2728 wrote to memory of 2624 2728 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2728 wrote to memory of 2624 2728 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2624 wrote to memory of 2452 2624 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2624 wrote to memory of 2452 2624 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2624 wrote to memory of 2452 2624 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2624 wrote to memory of 2452 2624 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2452 wrote to memory of 2532 2452 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2452 wrote to memory of 2532 2452 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2452 wrote to memory of 2532 2452 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2452 wrote to memory of 2532 2452 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2532 wrote to memory of 2900 2532 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2532 wrote to memory of 2900 2532 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2532 wrote to memory of 2900 2532 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2532 wrote to memory of 2900 2532 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2900 wrote to memory of 1628 2900 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2900 wrote to memory of 1628 2900 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2900 wrote to memory of 1628 2900 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2900 wrote to memory of 1628 2900 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 1628 wrote to memory of 2752 1628 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 1628 wrote to memory of 2752 1628 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 1628 wrote to memory of 2752 1628 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 1628 wrote to memory of 2752 1628 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2752 wrote to memory of 2884 2752 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2752 wrote to memory of 2884 2752 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2752 wrote to memory of 2884 2752 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2752 wrote to memory of 2884 2752 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2884 wrote to memory of 2276 2884 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2884 wrote to memory of 2276 2884 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2884 wrote to memory of 2276 2884 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2884 wrote to memory of 2276 2884 Isass.exe 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe PID 2276 wrote to memory of 1304 2276 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2276 wrote to memory of 1304 2276 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2276 wrote to memory of 1304 2276 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe PID 2276 wrote to memory of 1304 2276 2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe Isass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"11⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"17⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"19⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"21⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"23⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"25⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"27⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"29⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:600 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe"31⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2f38841d7eaedb9cd61f2db5a31a08653684e6083d4ae9a2c383d38ce2fae6c0.exe
Filesize16KB
MD52557c0af4fbb8f735f01f751a3d19103
SHA10b502de159576804d48b24d88b1f9545500be0b3
SHA2560a17132c93b11ee8e897ec23a8f3f73e717fa0d82ae6b3828a53b42f5e364013
SHA5126340d6a86338cca88c6f040d0c4c40c656debe9b49fb59e1c4c9a4d3bd3b24af1d34ca0d05edefbea1010e24b9e0dd71d362f8a8fc6bc374e8d75d9145311aaa
-
Filesize
109KB
MD559afbbddb8088578aef08f0520ac46ca
SHA1eef7d8b7f60fde97961f426d7f4694e0fef9dc3d
SHA256628125bcf772f7706ce94cff3798afcbee482806ed19fb754e7142f25efc6954
SHA5120380d8241168536dd52dd3c5a6c5961f6626274fcbe074916e595096ee651da58fb32f593d18bd0d3b3f57c0a152f9c2eb998d7a4833ed01e6e253e9cd5543fc
-
Filesize
211KB
MD570cc7e668d4d271148bcd4034c545e0c
SHA1ab5efae9b8d95a537ec378935c4d24cb10c0fc27
SHA25646aa89de26cd3802b9c938641c82ccce1e5879c376cbef841a45cc75d6cfc364
SHA51228c1967a57d19eb254ac988a93a17124e2757ba6bebe1ef9619ad05ce201d5f3e6977a6fb463daaddf099a7918a66688c22e4a7c00eb8a3f915170d149d9327f