nanocore | e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08

General

Target

INVOICE = 212888585 .xlsx
Size

732KB
MD5

145e00853b80fb2d97676c4416f984a9
SHA1

fa80c59ebbafc435e88ffdceae00450b56ec5d48
SHA256

e9c342550d334bffc58a310997673e24eed03f4d2b9c441dec943b24e7d29d08
SHA512

6e150bd0e392f3bb7696a0f8dcffcc453c508879165e0bef4eec268e0b5aebe40f03b4bb683970e91e4d3b010481c18c81d697f186cb813cb299deb4767d9467

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

godisgood1.hopto.org:7712

Mutex

9ed8d108-2eb1-4e23-9679-783796e4baff

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-23T17:16:53.813634136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7712
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9ed8d108-2eb1-4e23-9679-783796e4baff
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
godisgood1.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

1 1880 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ALP.exeALP.exe

pid process

1504 ALP.exe
1268 ALP.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1880 EQNEDT32.EXE

flow	pid	process
1	1880	EQNEDT32.EXE

pid	process
1504	ALP.exe
1268	ALP.exe

pid	process
1880	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ALP.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	ALP.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ALP.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ALP.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ALP.exe

description pid process target process

PID 1504 set thread context of 1268 1504 ALP.exe ALP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ALP.exe

description	pid	process	target process
PID 1504 set thread context of 1268	1504	ALP.exe	ALP.exe

Drops file in Program Files directory 2 IoCs

Processes:

ALP.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	ALP.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	ALP.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1836 schtasks.exe
1696 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1880 EQNEDT32.EXE

pid	process
1836	schtasks.exe
1696	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1880	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1908 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ALP.exe

pid process

1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
1268 ALP.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ALP.exe

pid process

1268 ALP.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ALP.exe

description pid process

Token: SeDebugPrivilege 1268 ALP.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1908 EXCEL.EXE
1908 EXCEL.EXE
1908 EXCEL.EXE
1908 EXCEL.EXE
1908 EXCEL.EXE

pid	process
1908	EXCEL.EXE

pid	process
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe
1268	ALP.exe

pid	process
1268	ALP.exe

description	pid	process
Token: SeDebugPrivilege	1268	ALP.exe

pid	process
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE
1908	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXEALP.exeALP.exe

description	pid	process	target process
PID 1880 wrote to memory of 1504	1880	EQNEDT32.EXE	ALP.exe
PID 1880 wrote to memory of 1504	1880	EQNEDT32.EXE	ALP.exe
PID 1880 wrote to memory of 1504	1880	EQNEDT32.EXE	ALP.exe
PID 1880 wrote to memory of 1504	1880	EQNEDT32.EXE	ALP.exe
PID 1908 wrote to memory of 1612	1908	EXCEL.EXE	splwow64.exe
PID 1908 wrote to memory of 1612	1908	EXCEL.EXE	splwow64.exe
PID 1908 wrote to memory of 1612	1908	EXCEL.EXE	splwow64.exe
PID 1908 wrote to memory of 1612	1908	EXCEL.EXE	splwow64.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1504 wrote to memory of 1268	1504	ALP.exe	ALP.exe
PID 1268 wrote to memory of 1836	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1836	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1836	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1836	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1696	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1696	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1696	1268	ALP.exe	schtasks.exe
PID 1268 wrote to memory of 1696	1268	ALP.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\INVOICE = 212888585 .xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1612

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Roaming\ALP.exe
"C:\Users\Admin\AppData\Roaming\ALP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Roaming\ALP.exe
"C:\Users\Admin\AppData\Roaming\ALP.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB423.tmp"
4⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB54C.tmp"
4⤵
- Creates scheduled task(s)
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB423.tmp
MD5
91733d3b2ac62ab5acb5f97a34aa72c8

SHA1
ebe6e1e9d46273da074b8e708e5d57767b8706f3

SHA256
d3878c97a1ac674ace3f5b15c1716afa8d4ec4656f9606d119156bef56db47dc

SHA512
648add0dcd8cda31989c89fb87216506d002f4ea26ab9f30878e4b617713147799001a5673b57124bf3cccdf0c05aacd9783b9c6b4ddd4adbaeeea44a8cf6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB54C.tmp
MD5
a9af285136db016a568e4a53208f21d0

SHA1
e1afef2b7ee8ae945353315daa19a15574b435b7

SHA256
7dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c

SHA512
80a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e

Download Submit
C:\Users\Admin\AppData\Roaming\ALP.exe
MD5
60e9f1e8596c98a6b07129d9c24ec359

SHA1
0e9e28f2853681a41a9ace446c0597320452bd9d

SHA256
658e8d30979add1dfcccd8adba33c136541fe1c9d24bfdeb3fadc5a5a5252716

SHA512
8bb79d52b6997c26edbc94d2cb2ddb8e679acf77230335ec6a09ec7280dce5c711d0630007bb33fde03a5983fc533c89d7a77fd6673fb2100833b82eebeb820a

Download Submit
C:\Users\Admin\AppData\Roaming\ALP.exe
MD5
60e9f1e8596c98a6b07129d9c24ec359

SHA1
0e9e28f2853681a41a9ace446c0597320452bd9d

SHA256
658e8d30979add1dfcccd8adba33c136541fe1c9d24bfdeb3fadc5a5a5252716

SHA512
8bb79d52b6997c26edbc94d2cb2ddb8e679acf77230335ec6a09ec7280dce5c711d0630007bb33fde03a5983fc533c89d7a77fd6673fb2100833b82eebeb820a

Download Submit
C:\Users\Admin\AppData\Roaming\ALP.exe
MD5
60e9f1e8596c98a6b07129d9c24ec359

SHA1
0e9e28f2853681a41a9ace446c0597320452bd9d

SHA256
658e8d30979add1dfcccd8adba33c136541fe1c9d24bfdeb3fadc5a5a5252716

SHA512
8bb79d52b6997c26edbc94d2cb2ddb8e679acf77230335ec6a09ec7280dce5c711d0630007bb33fde03a5983fc533c89d7a77fd6673fb2100833b82eebeb820a

Download Submit
\Users\Admin\AppData\Roaming\ALP.exe
MD5
60e9f1e8596c98a6b07129d9c24ec359

SHA1
0e9e28f2853681a41a9ace446c0597320452bd9d

SHA256
658e8d30979add1dfcccd8adba33c136541fe1c9d24bfdeb3fadc5a5a5252716

SHA512
8bb79d52b6997c26edbc94d2cb2ddb8e679acf77230335ec6a09ec7280dce5c711d0630007bb33fde03a5983fc533c89d7a77fd6673fb2100833b82eebeb820a

Download Submit
memory/1268-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1268-96-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/1268-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1268-92-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1268-81-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1268-91-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/1268-90-0x0000000000550000-0x0000000000565000-memory.dmp

Filesize
84KB

Download
memory/1268-95-0x0000000000960000-0x000000000096D000-memory.dmp

Filesize
52KB

Download
memory/1268-89-0x00000000004B0000-0x00000000004BD000-memory.dmp

Filesize
52KB

Download
memory/1268-77-0x000000000041E792-mapping.dmp

Download
memory/1268-98-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/1268-88-0x0000000000440000-0x0000000000443000-memory.dmp

Filesize
12KB

Download
memory/1268-97-0x00000000009C0000-0x00000000009CF000-memory.dmp

Filesize
60KB

Download
memory/1268-93-0x0000000000700000-0x0000000000707000-memory.dmp

Filesize
28KB

Download
memory/1268-87-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/1268-99-0x0000000002200000-0x0000000002229000-memory.dmp

Filesize
164KB

Download
memory/1268-94-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/1268-100-0x0000000004850000-0x000000000485F000-memory.dmp

Filesize
60KB

Download
memory/1268-86-0x00000000003D0000-0x00000000003D5000-memory.dmp

Filesize
20KB

Download
memory/1504-74-0x0000000004EB0000-0x0000000004F19000-memory.dmp

Filesize
420KB

Download
memory/1504-65-0x0000000000000000-mapping.dmp

Download
memory/1504-75-0x0000000000730000-0x0000000000764000-memory.dmp

Filesize
208KB

Download
memory/1504-73-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/1504-72-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1504-69-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1612-71-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1612-68-0x0000000000000000-mapping.dmp

Download
memory/1696-84-0x0000000000000000-mapping.dmp

Download
memory/1836-82-0x0000000000000000-mapping.dmp

Download
memory/1880-63-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1908-60-0x000000002F4F1000-0x000000002F4F4000-memory.dmp

Filesize
12KB

Download
memory/1908-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1908-61-0x0000000071AE1000-0x0000000071AE3000-memory.dmp

Filesize
8KB

Download
memory/1908-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads