0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266

General

Target

0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Size

271KB
MD5

e94d9a5d0a03d3f2bf241a50eea621bc
SHA1

1e915cbf1017cf35ad92c3c06f96b7719062e156
SHA256

0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266
SHA512

2154f9e4f349842217bb97c4e497a91eee6ab3789a6c1f1c7e926e8877a021e496efc61ee69a2e8d5128f47171a204f98a8e262bd30ea557880a0d4eaf85944c
SSDEEP

6144:/rTfUHeeSKOS9ccFKk3Y9t9YZfnVUBTUeg:/n8yN0Mr8ZfnVUBTTg

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

UPX dump on OEP (original entry point) 29 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4296-2-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
C:\Users\Public\Microsoft Build\Isass.exe	UPX
behavioral2/memory/3368-6-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/4296-9-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2040-10-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2040-11-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2096-12-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2096-15-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2956-16-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/4904-18-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2472-19-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2108-21-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/2284-32-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-36-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-39-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-40-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-41-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe	UPX
behavioral2/memory/3368-45-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-46-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-54-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-55-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-61-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-62-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-69-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-70-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-81-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-82-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX
behavioral2/memory/3368-91-0x0000000000400000-0x00000000016A8E52-memory.dmp	UPX

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Isass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Isass.exe

Executes dropped EXE 6 IoCs

Processes:

Isass.exeIsass.exeIsass.exeIsass.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe

pid process

3368 Isass.exe
2040 Isass.exe
2956 Isass.exe
2472 Isass.exe
2284 Isass.exe
2220 0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3368	Isass.exe
2040	Isass.exe
2956	Isass.exe
2472	Isass.exe
2284	Isass.exe
2220	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe"	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe

pid	process
4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
3368	Isass.exe
3368	Isass.exe
2040	Isass.exe
2040	Isass.exe
2040	Isass.exe
2040	Isass.exe
2040	Isass.exe
2040	Isass.exe
2096	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
2096	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
2956	Isass.exe
2956	Isass.exe
2956	Isass.exe
2956	Isass.exe
2956	Isass.exe
2956	Isass.exe
4904	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
4904	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
2472	Isass.exe
2472	Isass.exe
2472	Isass.exe
2472	Isass.exe
2472	Isass.exe
2472	Isass.exe
2108	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
2108	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
2284	Isass.exe
2284	Isass.exe
2284	Isass.exe
2284	Isass.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exeIsass.exe

description	pid	process	target process
PID 4296 wrote to memory of 3368	4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4296 wrote to memory of 3368	4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4296 wrote to memory of 3368	4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4296 wrote to memory of 2040	4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4296 wrote to memory of 2040	4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4296 wrote to memory of 2040	4296	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2040 wrote to memory of 2096	2040	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2040 wrote to memory of 2096	2040	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2040 wrote to memory of 2096	2040	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2096 wrote to memory of 2956	2096	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2096 wrote to memory of 2956	2096	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2096 wrote to memory of 2956	2096	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2956 wrote to memory of 4904	2956	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2956 wrote to memory of 4904	2956	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2956 wrote to memory of 4904	2956	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 4904 wrote to memory of 2472	4904	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4904 wrote to memory of 2472	4904	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 4904 wrote to memory of 2472	4904	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2472 wrote to memory of 2108	2472	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2472 wrote to memory of 2108	2472	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2472 wrote to memory of 2108	2472	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2108 wrote to memory of 2284	2108	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2108 wrote to memory of 2284	2108	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2108 wrote to memory of 2284	2108	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe	Isass.exe
PID 2284 wrote to memory of 2220	2284	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
PID 2284 wrote to memory of 2220	2284	Isass.exe	0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe

C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
"C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Users\Public\Microsoft Build\Isass.exe
  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
    "C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe"
        7⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Public\Microsoft Build\Isass.exe
        
        "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe"
        9⤵
        Executes dropped EXE
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

Filesize
688KB

MD5
c4e802bea3b1eed302252031520d426c

SHA1
20ea9d0fd8b00ba778c97f24227250a22abce417

SHA256
54fe4d21c5179ffaf6758c7b85d03c91a1fc64d540df172989c22e9a3fa69ef0

SHA512
68857ae63e9cbeeef8a89aa9b8ed8c2ffef5f789779591cfcb2552cd865f302830e29c0235334e8e54d90fa81a5f3585497d69de0e2adbefb328590436e489e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cb3026b28ab359211f50176bc8f920884474445331155c4b9a3d5bc11f93266.exe

Filesize
37KB

MD5
371627fd939bb54ed26f473ca54e718f

SHA1
3a6910295ae9d1fe388b7572736b8bdfc6e0d111

SHA256
b5481e424246a174456add0132427df3a7cd4105f5769835cdf597966c7c0b61

SHA512
ff7ea5ae445089ffa808c97e23c620313dd267994b343176c0cb9f8098aace1d12d9212b96611fdf97c974ef94f866b817aed9c0e5f4f195234e7d8d4ec3f8cd

Download Submit
C:\Users\Public\Microsoft Build\Isass.exe

Filesize
216KB

MD5
5e0cf203964abafa22d81a923be95cb9

SHA1
e066b6d4a7739fef41c63521435ee3f735fe17b8

SHA256
08df8fa4184b52bd2d853adf15ce9e2926abf25a8a2f805845fd4d85a8ade74f

SHA512
78245760d831fd173a504cde12d1b2200ed7e6891afbb129a7bdc67784a50a0fc86dc7caf46286c74ddf3fa43c74558f21925f9c0eef872ed25644496a6dd26b

Download Submit
memory/2040-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2040-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-12-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2096-15-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2108-21-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2220-34-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/2284-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2472-19-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/2956-16-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-62-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-46-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-6-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-91-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-82-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-36-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-39-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-40-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-41-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-81-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-45-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-7-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/3368-54-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-55-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-61-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-70-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/3368-69-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4296-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4296-2-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download
memory/4296-3-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/4904-18-0x0000000000400000-0x00000000016A8E52-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads