isrstealer | 0ce512a25f2e1f57c65984db9e01998ce514000672050e32a7ec6b624ecdea6f

General

Target

48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
Size

936KB
MD5

48bc87a9204fe25e1a18bf2640dfed61
SHA1

7430784fe61fb6e8de9cdd5b5365e81b9bb793e0
SHA256

0ce512a25f2e1f57c65984db9e01998ce514000672050e32a7ec6b624ecdea6f
SHA512

ad4f61800bdcd419e166fec4855708d10817f864393b96564e58fd9f165f480011ace5b1b73eb633880d9d65589016e87908c880738fc404523c448611243b36
SSDEEP

24576:V7q55ahO1N+AuTpoLb+/k1AMDhHxRHONMJ5:V255ahO1N+DTpoX+/m9HyNMT

Score

10^/10

isrstealer bootkit persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/668-72-0x0000000000400000-0x0000000000433000-memory.dmp	family_isrstealer
behavioral1/memory/668-75-0x0000000000400000-0x0000000000433000-memory.dmp	family_isrstealer
behavioral1/memory/668-99-0x0000000000400000-0x0000000000433000-memory.dmp	family_isrstealer
behavioral1/memory/2836-107-0x0000000000130000-0x000000000015B000-memory.dmp	family_isrstealer

Executes dropped EXE 6 IoCs

Processes:

bie_7install86.exeY0X6xp55d.exeY0X6xp55d.exeY0X6xp55d.exeY0X6xp55d.exebie_kms.exe

pid process

2788 bie_7install86.exe
1920 Y0X6xp55d.exe
2632 Y0X6xp55d.exe
668 Y0X6xp55d.exe
2936 Y0X6xp55d.exe
304 bie_kms.exe

pid	process
2788	bie_7install86.exe
1920	Y0X6xp55d.exe
2632	Y0X6xp55d.exe
668	Y0X6xp55d.exe
2936	Y0X6xp55d.exe
304	bie_kms.exe

Loads dropped DLL 8 IoCs

Processes:

48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exeY0X6xp55d.exeY0X6xp55d.exeY0X6xp55d.execmd.exe

pid	process
2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
1920	Y0X6xp55d.exe
2632	Y0X6xp55d.exe
668	Y0X6xp55d.exe
2836	cmd.exe
2836	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2936-86-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2936-87-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2936-85-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2936-83-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2936-98-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exeY0X6xp55d.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	Y0X6xp55d.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exeY0X6xp55d.exeY0X6xp55d.exeY0X6xp55d.exe

description	pid	process	target process
PID 1688 set thread context of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1920 set thread context of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 set thread context of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 set thread context of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\check.txt cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

408 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1040 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 408 taskkill.exe

description	ioc	process
File created	C:\Windows\check.txt	cmd.exe

pid	process
408	taskkill.exe

pid	process
1040	PING.EXE

description	pid	process
Token: SeDebugPrivilege	408	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exeY0X6xp55d.exeY0X6xp55d.exeY0X6xp55d.exe

pid	process
1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
1920	Y0X6xp55d.exe
2632	Y0X6xp55d.exe
668	Y0X6xp55d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exebie_7install86.execmd.exeY0X6xp55d.exeY0X6xp55d.exeY0X6xp55d.exe

description	pid	process	target process
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 1688 wrote to memory of 2680	1688	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 2788	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	bie_7install86.exe
PID 2680 wrote to memory of 1920	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	Y0X6xp55d.exe
PID 2680 wrote to memory of 1920	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	Y0X6xp55d.exe
PID 2680 wrote to memory of 1920	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	Y0X6xp55d.exe
PID 2680 wrote to memory of 1920	2680	48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe	Y0X6xp55d.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2788 wrote to memory of 2836	2788	bie_7install86.exe	cmd.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 2836 wrote to memory of 2896	2836	cmd.exe	cscript.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 1920 wrote to memory of 2632	1920	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2632 wrote to memory of 668	2632	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 668 wrote to memory of 2936	668	Y0X6xp55d.exe	Y0X6xp55d.exe
PID 2836 wrote to memory of 304	2836	cmd.exe	bie_kms.exe
PID 2836 wrote to memory of 304	2836	cmd.exe	bie_kms.exe
PID 2836 wrote to memory of 304	2836	cmd.exe	bie_kms.exe
PID 2836 wrote to memory of 304	2836	cmd.exe	bie_kms.exe

C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\bie_7install86.exe
    "C:\Users\Admin\AppData\Local\Temp\bie_7install86.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Windows\system32\slmgr.vbs /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
        5⤵
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe
        5⤵
        Executes dropped EXE
        
        PID:304
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Windows\system32\slmgr.vbs /skms 127.0.0.1
        5⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 16 localhost
        5⤵
        Runs ping.exe
        
        PID:1040
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Windows\system32\slmgr.vbs /ato
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "8007000D" C:\Windows\check.txt
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "Error" C:\Windows\check.txt
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill.exe /F /IM bie_kms.exe /t
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
- - C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe
    "C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe
      "C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
        6⤵
        Executes dropped EXE
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
939B

MD5
2416c7a0bb675b13a82db797a0a0f4cb

SHA1
ba7d6df4cdb8801cc4f43eaed7e77f528bd6a917

SHA256
5a2a2d0b9c642abeff0bce8cfa9b5e0432f56069f8366b30bca56b2b5fe7c0fb

SHA512
4238b21d5aff13c02e5cf5c981983e2071b1543a96bb07a15b8f59fa2575652f9d3338e9ffa93a5bece1bc0f3e050acacceac5a141671f8522f8bbc98687e519

Download Submit
C:\Users\Admin\AppData\Local\Temp\bie_7install86.exe

Filesize
161KB

MD5
59d2756095c2911453dd2bfc19732108

SHA1
50dc150e4590f68245560670016087f125135c1a

SHA256
7b8d6ed119c2d6af805e4a5276bd4df476e2632abc04070f1ac01eae3bc7478c

SHA512
d0f676b381befab2fa0d94e374006f4316b0a523f603be99872a392030affd0b7d9c3c4a8c5896b3cfdf12292d11fb7d0e04f65c0b9e7fcffeb9d8707fb70693

Download Submit
C:\Windows\check.txt

Filesize
285B

MD5
c02fbb25f5fb928c5ec413432bb86681

SHA1
a628baa1d6f9a622c837e1cb41e9ac5fbd5c4b63

SHA256
88c3886d4a481d06b3e549af3cfe47262ce890f21606ccdf2ddb226f14dcc9b3

SHA512
1724126f92390e0f9628a123155e88a8e628c070b9d637f7f80996fd2ec73f627974350d1597e58842e86839109ebb5f8ac1b702efe6ddf51b28e003e66440d9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe

Filesize
73KB

MD5
f4d6c55c7b137a1d8c16430287aedf40

SHA1
45d9902691fbcc295739764b96081b2a508311b7

SHA256
8a4286546d14e1edb583278ef4226ee6542515b55a258bbfbce6d303a090c8a7

SHA512
9f2e91a291ce4057fc67c4e91aaa7a9e696ce67cecec46e12372356e0b696dcfac56c6003d2c8bd897479603b8ba02aae9045399fe9648cfb838506a692d9d83

Download Submit
\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe

Filesize
488KB

MD5
89c6bf05f4d149d84822e906c29723e5

SHA1
a7b1df099f236a66b2e521e37821e185d2c1ba37

SHA256
3d45fde0386fcc7e82a8e799a64864c6deb4ebd33a716b54f851b566968c5050

SHA512
77620db2d71edb2279d84bb685bd13d67451bb14da19017a86b25cf2b79ecd5df54357cacc4a07b278c67c0d2c35164bd9e93e1107dca176694803f9667eb606

Download Submit
memory/304-100-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/304-94-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/668-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-77-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2632-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2632-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2632-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2632-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2632-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2680-36-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-6-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-12-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-2-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-4-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2680-16-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2836-107-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/2836-106-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/2836-93-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/2836-92-0x0000000000130000-0x000000000015B000-memory.dmp

Filesize
172KB

Download
memory/2936-86-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-98-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-83-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-87-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads