nanocore | 196fffbae1c2c00c4cdf52ec8547e07b012b11616a3e923f83d12e37d029af91

General

Target

04744d68089e1df52c65fded5fc4b78b.exe
Size

697KB
MD5

04744d68089e1df52c65fded5fc4b78b
SHA1

86877b212396f40ec8a7bcd45ac4b8a5f68a884b
SHA256

196fffbae1c2c00c4cdf52ec8547e07b012b11616a3e923f83d12e37d029af91
SHA512

2fbc456bd32626b5165b6131c349595059e9d18e9b787e0f2b07712b0e10065f0730b423c4b9653ebfedd0b15c83a914352dded63c6ed2aaf173bb4f1c07dcf2
SSDEEP

12288:9XHok11R/5PR+/SyeFX62G9/R/kjI28j0Hha3yRZ0QFu3+NjLLyqWP:dHBPnyeFX6h4s28j0Hha3iv2SPZW

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

updatedhostlogs.duckdns.org:15440

127.0.0.1:15440

Mutex

4d2e43d2-7711-42b4-aaa9-39d47a0f2cf9

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-05-29T02:50:37.913192336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
15440
default_group
Stiler
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4d2e43d2-7711-42b4-aaa9-39d47a0f2cf9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
updatedhostlogs.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 04744d68089e1df52c65fded5fc4b78b.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	04744d68089e1df52c65fded5fc4b78b.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	04744d68089e1df52c65fded5fc4b78b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	04744d68089e1df52c65fded5fc4b78b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	04744d68089e1df52c65fded5fc4b78b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04744d68089e1df52c65fded5fc4b78b.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	04744d68089e1df52c65fded5fc4b78b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description pid process target process

PID 1884 set thread context of 1916 1884 04744d68089e1df52c65fded5fc4b78b.exe 04744d68089e1df52c65fded5fc4b78b.exe

description	pid	process	target process
PID 1884 set thread context of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe

Drops file in Program Files directory 2 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	04744d68089e1df52c65fded5fc4b78b.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	04744d68089e1df52c65fded5fc4b78b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1520 schtasks.exe
840 schtasks.exe
1252 schtasks.exe

pid	process
1520	schtasks.exe
840	schtasks.exe
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exepowershell.exepowershell.exe04744d68089e1df52c65fded5fc4b78b.exe

pid	process
1884	04744d68089e1df52c65fded5fc4b78b.exe
1884	04744d68089e1df52c65fded5fc4b78b.exe
1480	powershell.exe
1656	powershell.exe
1916	04744d68089e1df52c65fded5fc4b78b.exe
1916	04744d68089e1df52c65fded5fc4b78b.exe
1916	04744d68089e1df52c65fded5fc4b78b.exe
1916	04744d68089e1df52c65fded5fc4b78b.exe
1916	04744d68089e1df52c65fded5fc4b78b.exe
1916	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

pid process

1916 04744d68089e1df52c65fded5fc4b78b.exe

pid	process
1916	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exepowershell.exepowershell.exe04744d68089e1df52c65fded5fc4b78b.exe

description	pid	process
Token: SeDebugPrivilege	1884	04744d68089e1df52c65fded5fc4b78b.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1916	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe04744d68089e1df52c65fded5fc4b78b.exe

description	pid	process	target process
PID 1884 wrote to memory of 1656	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1656	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1656	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1656	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1480	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1480	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1480	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1480	1884	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 1884 wrote to memory of 1520	1884	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1884 wrote to memory of 1520	1884	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1884 wrote to memory of 1520	1884	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1884 wrote to memory of 1520	1884	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1884 wrote to memory of 1916	1884	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1916 wrote to memory of 840	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 840	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 840	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 840	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 1252	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 1252	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 1252	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1916 wrote to memory of 1252	1916	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe
"C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vuvGuoOt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vuvGuoOt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD1B2.tmp"
2⤵
- Creates scheduled task(s)
PID:1520

C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe
"C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD615.tmp"
3⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD73E.tmp"
3⤵
- Creates scheduled task(s)
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD1B2.tmp
Filesize
1KB

MD5
5c9589ba148e93ebd282f9862fc96bb2

SHA1
99efe0d3a7f904214a2c0e1ceeaf818cd6c394a7

SHA256
fd8afbd9bc3d7200cc1d5268620c499dcc4bcffac9d011eeb12390578245e0dd

SHA512
d9c188d23d0bf3b8cb136e4c1c1dbefb6fce942ea9117d3e8e544e9a38dcae0f51e958b5debf8da393d6085bdd44cd56fda3b7dbfcba8ac28300ac792e40fec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD615.tmp
Filesize
1KB

MD5
771d415e7e367a38ded7099e97f3baf2

SHA1
cf4ebf514926ec70be996e495dbe8dbaf66d32d8

SHA256
60c69361b7f874a41a884852f9faaff711e48966b54c21cbf824f971e9da27dd

SHA512
186d305116faf62185f34e6f22b86fac317f83699bda05bc8be54be67d93bf91f0702392111be233bfda9814278434951c67e216afafa30e09be77f810799601

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD73E.tmp
Filesize
1KB

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
b23c0ea7a00bf0a4fe52a6db94e06802

SHA1
eb06c943d2a26f5216535df423c83c0be6554e6e

SHA256
56bfad11a71e1aeff1aed01761dae646d91714f897bd866b04b3b34108abd32b

SHA512
70a404c0b88b74ba1121efb31ed926f1a8fa4e8659854e53fe8357e206c2189e46e0997bae9ca35d8c6f8b34a56d0d44b7d385ab8149be2ee5aa062bd5b516b5

Download Submit
memory/840-81-0x0000000000000000-mapping.dmp

Download
memory/1252-83-0x0000000000000000-mapping.dmp

Download
memory/1480-90-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-89-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-61-0x0000000000000000-mapping.dmp

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1656-66-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-91-0x000000006EC00000-0x000000006F1AB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-59-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000001110000-0x00000000011C4000-memory.dmp

Filesize
720KB

Download
memory/1884-55-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-56-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/1884-67-0x000000000A340000-0x000000000A38A000-memory.dmp

Filesize
296KB

Download
memory/1884-57-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1884-58-0x0000000005E60000-0x0000000005EF0000-memory.dmp

Filesize
576KB

Download
memory/1916-88-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1916-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-86-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1916-85-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/1916-87-0x0000000000610000-0x000000000062E000-memory.dmp

Filesize
120KB

Download
memory/1916-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-75-0x000000000041E792-mapping.dmp

Download
memory/1916-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-92-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/1916-93-0x0000000000CD0000-0x0000000000CEA000-memory.dmp

Filesize
104KB

Download
memory/1916-96-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

Filesize
56KB

Download
memory/1916-95-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/1916-94-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/1916-98-0x0000000000F00000-0x0000000000F14000-memory.dmp

Filesize
80KB

Download
memory/1916-97-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/1916-99-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1916-100-0x0000000001020000-0x0000000001034000-memory.dmp

Filesize
80KB

Download
memory/1916-101-0x0000000001100000-0x000000000110E000-memory.dmp

Filesize
56KB

Download
memory/1916-102-0x00000000048A0000-0x00000000048CE000-memory.dmp

Filesize
184KB

Download
memory/1916-103-0x00000000048E0000-0x00000000048F4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads