nanocore | 8fae316bf8f8c4de9d4faf0cf69df5a2fb668974577d5796a185a75ff3430acf

General

Target

safari june 2021.doc
Size

830KB
MD5

44cda25d4bd91498afb391081e925d65
SHA1

3b04f2b38ab9f4850389e48551b71f8fcd1bbc15
SHA256

8fae316bf8f8c4de9d4faf0cf69df5a2fb668974577d5796a185a75ff3430acf
SHA512

378824365f03f51ded0a5046e72c63185c84083bcc39506fbdfe37d2b7ce0b97a2910cbd94ffd25d9b2c49ad2e527dc086c91c17adbb415718d82c3c883d7f61

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu:2420

Mutex

9a83c6a0-5b64-416c-b0dc-d47048e32edf

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-08T01:17:30.860776436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2420
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9a83c6a0-5b64-416c-b0dc-d47048e32edf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1968 EQNEDT32.EXE
Executes dropped EXE 2 IoCs

Processes:

JID.exeJID.exe

pid process

932 JID.exe
112 JID.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1968 EQNEDT32.EXE
1968 EQNEDT32.EXE

flow	pid	process
7	1968	EQNEDT32.EXE

pid	process
932	JID.exe
112	JID.exe

pid	process
1968	EQNEDT32.EXE
1968	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

JID.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	JID.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

JID.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JID.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

JID.exe

pid process

932 JID.exe
932 JID.exe
932 JID.exe
932 JID.exe
932 JID.exe
932 JID.exe
932 JID.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

JID.exe

description pid process target process

PID 932 set thread context of 112 932 JID.exe JID.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JID.exe

pid	process
932	JID.exe
932	JID.exe
932	JID.exe
932	JID.exe
932	JID.exe
932	JID.exe
932	JID.exe

description	pid	process	target process
PID 932 set thread context of 112	932	JID.exe	JID.exe

Drops file in Program Files directory 2 IoCs

Processes:

JID.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	JID.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	JID.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1712 schtasks.exe
1444 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

936 timeout.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1968 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1712	schtasks.exe
1444	schtasks.exe

pid	process
936	timeout.exe

pid	process
1968	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1096 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

JID.exeJID.exe

pid process

932 JID.exe
932 JID.exe
932 JID.exe
112 JID.exe
112 JID.exe
112 JID.exe
112 JID.exe
112 JID.exe
112 JID.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

JID.exe

pid process

112 JID.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

JID.exeJID.exe

description pid process

Token: SeDebugPrivilege 932 JID.exe
Token: SeDebugPrivilege 112 JID.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1096 WINWORD.EXE
1096 WINWORD.EXE

pid	process
1096	WINWORD.EXE

pid	process
932	JID.exe
932	JID.exe
932	JID.exe
112	JID.exe
112	JID.exe
112	JID.exe
112	JID.exe
112	JID.exe
112	JID.exe

pid	process
112	JID.exe

description	pid	process
Token: SeDebugPrivilege	932	JID.exe
Token: SeDebugPrivilege	112	JID.exe

pid	process
1096	WINWORD.EXE
1096	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEJID.execmd.exeJID.exe

description	pid	process	target process
PID 1968 wrote to memory of 932	1968	EQNEDT32.EXE	JID.exe
PID 1968 wrote to memory of 932	1968	EQNEDT32.EXE	JID.exe
PID 1968 wrote to memory of 932	1968	EQNEDT32.EXE	JID.exe
PID 1968 wrote to memory of 932	1968	EQNEDT32.EXE	JID.exe
PID 932 wrote to memory of 916	932	JID.exe	cmd.exe
PID 932 wrote to memory of 916	932	JID.exe	cmd.exe
PID 932 wrote to memory of 916	932	JID.exe	cmd.exe
PID 932 wrote to memory of 916	932	JID.exe	cmd.exe
PID 916 wrote to memory of 936	916	cmd.exe	timeout.exe
PID 916 wrote to memory of 936	916	cmd.exe	timeout.exe
PID 916 wrote to memory of 936	916	cmd.exe	timeout.exe
PID 916 wrote to memory of 936	916	cmd.exe	timeout.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 932 wrote to memory of 112	932	JID.exe	JID.exe
PID 112 wrote to memory of 1712	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1712	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1712	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1712	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1444	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1444	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1444	112	JID.exe	schtasks.exe
PID 112 wrote to memory of 1444	112	JID.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\safari june 2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\JID.exe
C:\Users\Admin\AppData\Roaming\JID.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:936

C:\Users\Admin\AppData\Roaming\JID.exe
"C:\Users\Admin\AppData\Roaming\JID.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp400C.tmp"
4⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4210.tmp"
4⤵
- Creates scheduled task(s)
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp400C.tmp

MD5
d970a67dfd6a0acd81c47c975844b7db

SHA1
61e96371ca3f39089a8dd9d0597c219f94381ca4

SHA256
352d40f07d725de21c13f107bac20d88a00d5afbd9007091913ee289ecdcfa66

SHA512
007501331856cfd67e3dbf9621b8b3f932ca47b7e13409245e2b6ee8eaf43d1719460226d32baeb2c268ce2e9308e4a3012446d812eb4725113fcde99bbfa980

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4210.tmp

MD5
819bdbdac3be050783d203020e6c4c30

SHA1
a373521fceb21cac8b93e55ee48578e40a6e740b

SHA256
0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053

SHA512
cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

Download Submit
C:\Users\Admin\AppData\Roaming\JID.exe

MD5
75fc4bd3b1f1d99b1f6ed722a1336296

SHA1
0a37747013749af59be5767ecbffd1bf4a683b65

SHA256
208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f

SHA512
351601b675388977066fac3f8cd790fa64fd6d29922a49a76431a08d5ac82c5590e8b3417633942ee36a37986ad99b9836d4ebeb7c09a4bfe9f7942c025c1722

Download Submit
C:\Users\Admin\AppData\Roaming\JID.exe

MD5
75fc4bd3b1f1d99b1f6ed722a1336296

SHA1
0a37747013749af59be5767ecbffd1bf4a683b65

SHA256
208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f

SHA512
351601b675388977066fac3f8cd790fa64fd6d29922a49a76431a08d5ac82c5590e8b3417633942ee36a37986ad99b9836d4ebeb7c09a4bfe9f7942c025c1722

Download Submit
C:\Users\Admin\AppData\Roaming\JID.exe

MD5
75fc4bd3b1f1d99b1f6ed722a1336296

SHA1
0a37747013749af59be5767ecbffd1bf4a683b65

SHA256
208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f

SHA512
351601b675388977066fac3f8cd790fa64fd6d29922a49a76431a08d5ac82c5590e8b3417633942ee36a37986ad99b9836d4ebeb7c09a4bfe9f7942c025c1722

Download Submit
\Users\Admin\AppData\Roaming\JID.exe

MD5
75fc4bd3b1f1d99b1f6ed722a1336296

SHA1
0a37747013749af59be5767ecbffd1bf4a683b65

SHA256
208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f

SHA512
351601b675388977066fac3f8cd790fa64fd6d29922a49a76431a08d5ac82c5590e8b3417633942ee36a37986ad99b9836d4ebeb7c09a4bfe9f7942c025c1722

Download Submit
\Users\Admin\AppData\Roaming\JID.exe

MD5
75fc4bd3b1f1d99b1f6ed722a1336296

SHA1
0a37747013749af59be5767ecbffd1bf4a683b65

SHA256
208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f

SHA512
351601b675388977066fac3f8cd790fa64fd6d29922a49a76431a08d5ac82c5590e8b3417633942ee36a37986ad99b9836d4ebeb7c09a4bfe9f7942c025c1722

Download Submit
memory/112-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/112-32-0x00000000004E0000-0x00000000004E3000-memory.dmp

Filesize
12KB

Download
memory/112-30-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/112-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/112-21-0x000000006B850000-0x000000006BF3E000-memory.dmp

Filesize
6.9MB

Download
memory/112-19-0x000000000041E792-mapping.dmp

Download
memory/112-31-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/112-27-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/916-16-0x0000000000000000-mapping.dmp

Download
memory/932-15-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/932-9-0x0000000000000000-mapping.dmp

Download
memory/932-13-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/932-22-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/932-12-0x000000006B850000-0x000000006BF3E000-memory.dmp

Filesize
6.9MB

Download
memory/936-17-0x0000000000000000-mapping.dmp

Download
memory/1096-2-0x0000000072E21000-0x0000000072E24000-memory.dmp

Filesize
12KB

Download
memory/1096-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1096-3-0x00000000708A1000-0x00000000708A3000-memory.dmp

Filesize
8KB

Download
memory/1444-28-0x0000000000000000-mapping.dmp

Download
memory/1708-6-0x000007FEF8040000-0x000007FEF82BA000-memory.dmp

Filesize
2.5MB

Download
memory/1712-25-0x0000000000000000-mapping.dmp

Download
memory/1968-5-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads