nanocore | 196fffbae1c2c00c4cdf52ec8547e07b012b11616a3e923f83d12e37d029af91

General

Target

04744d68089e1df52c65fded5fc4b78b.exe
Size

697KB
MD5

04744d68089e1df52c65fded5fc4b78b
SHA1

86877b212396f40ec8a7bcd45ac4b8a5f68a884b
SHA256

196fffbae1c2c00c4cdf52ec8547e07b012b11616a3e923f83d12e37d029af91
SHA512

2fbc456bd32626b5165b6131c349595059e9d18e9b787e0f2b07712b0e10065f0730b423c4b9653ebfedd0b15c83a914352dded63c6ed2aaf173bb4f1c07dcf2
SSDEEP

12288:9XHok11R/5PR+/SyeFX62G9/R/kjI28j0Hha3yRZ0QFu3+NjLLyqWP:dHBPnyeFX6h4s28j0Hha3iv2SPZW

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

updatedhostlogs.duckdns.org:15440

127.0.0.1:15440

Mutex

4d2e43d2-7711-42b4-aaa9-39d47a0f2cf9

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-05-29T02:50:37.913192336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
15440
default_group
Stiler
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4d2e43d2-7711-42b4-aaa9-39d47a0f2cf9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
updatedhostlogs.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 04744d68089e1df52c65fded5fc4b78b.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	04744d68089e1df52c65fded5fc4b78b.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	04744d68089e1df52c65fded5fc4b78b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	04744d68089e1df52c65fded5fc4b78b.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	04744d68089e1df52c65fded5fc4b78b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	04744d68089e1df52c65fded5fc4b78b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04744d68089e1df52c65fded5fc4b78b.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	04744d68089e1df52c65fded5fc4b78b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description pid process target process

PID 4392 set thread context of 1500 4392 04744d68089e1df52c65fded5fc4b78b.exe 04744d68089e1df52c65fded5fc4b78b.exe

description	pid	process	target process
PID 4392 set thread context of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe

Drops file in Program Files directory 2 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	04744d68089e1df52c65fded5fc4b78b.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	04744d68089e1df52c65fded5fc4b78b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4372 schtasks.exe
3844 schtasks.exe
3268 schtasks.exe

pid	process
4372	schtasks.exe
3844	schtasks.exe
3268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exepowershell.exepowershell.exe04744d68089e1df52c65fded5fc4b78b.exe

pid	process
4392	04744d68089e1df52c65fded5fc4b78b.exe
1128	powershell.exe
2308	powershell.exe
4392	04744d68089e1df52c65fded5fc4b78b.exe
4392	04744d68089e1df52c65fded5fc4b78b.exe
4392	04744d68089e1df52c65fded5fc4b78b.exe
1128	powershell.exe
2308	powershell.exe
1500	04744d68089e1df52c65fded5fc4b78b.exe
1500	04744d68089e1df52c65fded5fc4b78b.exe
1500	04744d68089e1df52c65fded5fc4b78b.exe
1500	04744d68089e1df52c65fded5fc4b78b.exe
1500	04744d68089e1df52c65fded5fc4b78b.exe
1500	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe

pid process

1500 04744d68089e1df52c65fded5fc4b78b.exe

pid	process
1500	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exepowershell.exepowershell.exe04744d68089e1df52c65fded5fc4b78b.exe

description	pid	process
Token: SeDebugPrivilege	4392	04744d68089e1df52c65fded5fc4b78b.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1500	04744d68089e1df52c65fded5fc4b78b.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

04744d68089e1df52c65fded5fc4b78b.exe04744d68089e1df52c65fded5fc4b78b.exe

description	pid	process	target process
PID 4392 wrote to memory of 1128	4392	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 4392 wrote to memory of 1128	4392	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 4392 wrote to memory of 1128	4392	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 4392 wrote to memory of 2308	4392	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 4392 wrote to memory of 2308	4392	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 4392 wrote to memory of 2308	4392	04744d68089e1df52c65fded5fc4b78b.exe	powershell.exe
PID 4392 wrote to memory of 4372	4392	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 4392 wrote to memory of 4372	4392	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 4392 wrote to memory of 4372	4392	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 4392 wrote to memory of 4740	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 4740	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 4740	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 4392 wrote to memory of 1500	4392	04744d68089e1df52c65fded5fc4b78b.exe	04744d68089e1df52c65fded5fc4b78b.exe
PID 1500 wrote to memory of 3844	1500	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1500 wrote to memory of 3844	1500	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1500 wrote to memory of 3844	1500	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1500 wrote to memory of 3268	1500	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1500 wrote to memory of 3268	1500	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe
PID 1500 wrote to memory of 3268	1500	04744d68089e1df52c65fded5fc4b78b.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe
"C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vuvGuoOt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vuvGuoOt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp320C.tmp"
2⤵
- Creates scheduled task(s)
PID:4372

C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe
"C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
2⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe
"C:\Users\Admin\AppData\Local\Temp\04744d68089e1df52c65fded5fc4b78b.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3652.tmp"
3⤵
- Creates scheduled task(s)
PID:3844

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp37CA.tmp"
3⤵
- Creates scheduled task(s)
PID:3268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\04744d68089e1df52c65fded5fc4b78b.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
163b00e080a2cd9fe02d8fe8c56d60b1

SHA1
f4b361bdb1c1a19fe84ff46e7fabf1253588e830

SHA256
ed5daa0d44f5e9a31362893682b29ead9bc6bbb74c3568ead146c5f9678f3199

SHA512
5ee70ec24eb8485f0664d8f4cd59e0ffafc934328ebfc2432e37b20961eeb42d0f5b047938509d7bc2886fc7f99bf366a0f7d1098c3ab3fa9ce725bf05fd6788

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp320C.tmp

Filesize
1KB

MD5
f49876707e9c12403c7d1fcd9e97bf2f

SHA1
975e2e6689aae80b8aff0f091c2018a2956a779c

SHA256
99eea34eea03e31704aa094d6b968655f02ba899a6d8beb3e3113b1cb9acca76

SHA512
dc34c61cbff5a8aba2c629e8160ade46fc3187130110abb3cfbc3e784badbe2076d7d4524f58e8d886dd3b7508b95ca82eb77c34278c2367cd2f7d5692d6e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3652.tmp

Filesize
1KB

MD5
771d415e7e367a38ded7099e97f3baf2

SHA1
cf4ebf514926ec70be996e495dbe8dbaf66d32d8

SHA256
60c69361b7f874a41a884852f9faaff711e48966b54c21cbf824f971e9da27dd

SHA512
186d305116faf62185f34e6f22b86fac317f83699bda05bc8be54be67d93bf91f0702392111be233bfda9814278434951c67e216afafa30e09be77f810799601

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37CA.tmp

Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
memory/1128-140-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/1128-139-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

Filesize
216KB

Download
memory/1128-159-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/1128-156-0x0000000070E80000-0x0000000070ECC000-memory.dmp

Filesize
304KB

Download
memory/1128-158-0x0000000006A50000-0x0000000006A6E000-memory.dmp

Filesize
120KB

Download
memory/1128-143-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/1128-144-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/1128-137-0x0000000000000000-mapping.dmp

Download
memory/1128-161-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/1128-162-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/1128-150-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/1500-147-0x0000000000000000-mapping.dmp

Download
memory/1500-148-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2308-141-0x0000000000000000-mapping.dmp

Download
memory/2308-164-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/2308-165-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

Filesize
32KB

Download
memory/2308-163-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

Filesize
56KB

Download
memory/2308-155-0x0000000006C30000-0x0000000006C62000-memory.dmp

Filesize
200KB

Download
memory/2308-157-0x0000000070E80000-0x0000000070ECC000-memory.dmp

Filesize
304KB

Download
memory/2308-160-0x0000000007980000-0x000000000799A000-memory.dmp

Filesize
104KB

Download
memory/3268-153-0x0000000000000000-mapping.dmp

Download
memory/3844-151-0x0000000000000000-mapping.dmp

Download
memory/4372-142-0x0000000000000000-mapping.dmp

Download
memory/4392-132-0x0000000000FB0000-0x0000000001064000-memory.dmp

Filesize
720KB

Download
memory/4392-138-0x000000000C4E0000-0x000000000C546000-memory.dmp

Filesize
408KB

Download
memory/4392-136-0x000000000BAC0000-0x000000000BB5C000-memory.dmp

Filesize
624KB

Download
memory/4392-135-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/4392-134-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/4392-133-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/4740-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads