nanocore | 88ece67c89bf10fe005fba4035ba82d93917b6196b7e8a20de6d17dd3181a9ab

General

Target

9abf44c3ad590c8138af6f6f4a990f2d.exe
Size

728KB
MD5

9abf44c3ad590c8138af6f6f4a990f2d
SHA1

935c17b477a05119675f0eea18e805cada7151c0
SHA256

88ece67c89bf10fe005fba4035ba82d93917b6196b7e8a20de6d17dd3181a9ab
SHA512

b081797a8fbfafe09ff07955365e6383736e263920e858bdce274187d1f72dda311cc9edac983434a671d00243141614f06f182d4cf84121812cebad7de43199
SSDEEP

12288:USqg5SmF75enOrObWmsRHIztZwAQMev5Be4txB49nHp/cbOeaEz/R2G:6mZ5JObWmsRWtZw2GBxB49nHlcoo/RF

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

tzitziklishop.ddns.net:1665

Mutex

1353b0ad-2499-432f-9b11-0b34111cc177

Attributes

activate_away_mode
true
backup_connection_host
tzitziklishop.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-10T06:52:34.128947636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1665
default_group
August
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1353b0ad-2499-432f-9b11-0b34111cc177
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tzitziklishop.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	9abf44c3ad590c8138af6f6f4a990f2d.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9abf44c3ad590c8138af6f6f4a990f2d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

description pid process target process

PID 1372 set thread context of 776 1372 9abf44c3ad590c8138af6f6f4a990f2d.exe 9abf44c3ad590c8138af6f6f4a990f2d.exe

description	pid	process	target process
PID 1372 set thread context of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe

Drops file in Program Files directory 2 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1908 schtasks.exe
1872 schtasks.exe

pid	process
1908	schtasks.exe
1872	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9abf44c3ad590c8138af6f6f4a990f2d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9abf44c3ad590c8138af6f6f4a990f2d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9abf44c3ad590c8138af6f6f4a990f2d.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

pid	process
776	9abf44c3ad590c8138af6f6f4a990f2d.exe
776	9abf44c3ad590c8138af6f6f4a990f2d.exe
776	9abf44c3ad590c8138af6f6f4a990f2d.exe
776	9abf44c3ad590c8138af6f6f4a990f2d.exe
776	9abf44c3ad590c8138af6f6f4a990f2d.exe
776	9abf44c3ad590c8138af6f6f4a990f2d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

pid process

776 9abf44c3ad590c8138af6f6f4a990f2d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

description pid process

Token: SeDebugPrivilege 776 9abf44c3ad590c8138af6f6f4a990f2d.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe

pid process

1372 9abf44c3ad590c8138af6f6f4a990f2d.exe
1372 9abf44c3ad590c8138af6f6f4a990f2d.exe

description	pid	process
Token: SeDebugPrivilege	776	9abf44c3ad590c8138af6f6f4a990f2d.exe

pid	process
1372	9abf44c3ad590c8138af6f6f4a990f2d.exe
1372	9abf44c3ad590c8138af6f6f4a990f2d.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

9abf44c3ad590c8138af6f6f4a990f2d.exe9abf44c3ad590c8138af6f6f4a990f2d.exe

description	pid	process	target process
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 1372 wrote to memory of 776	1372	9abf44c3ad590c8138af6f6f4a990f2d.exe	9abf44c3ad590c8138af6f6f4a990f2d.exe
PID 776 wrote to memory of 1908	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1908	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1908	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1908	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1872	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1872	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1872	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe
PID 776 wrote to memory of 1872	776	9abf44c3ad590c8138af6f6f4a990f2d.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9abf44c3ad590c8138af6f6f4a990f2d.exe
"C:\Users\Admin\AppData\Local\Temp\9abf44c3ad590c8138af6f6f4a990f2d.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\9abf44c3ad590c8138af6f6f4a990f2d.exe
"C:\Users\Admin\AppData\Local\Temp\9abf44c3ad590c8138af6f6f4a990f2d.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEB4A.tmp"
3⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEDE9.tmp"
3⤵
- Creates scheduled task(s)
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEB4A.tmp

Filesize
1KB

MD5
ca7cb55870c2c610179ceb86df1fb442

SHA1
30372cbd5b26127c994ef05c5aac9b12fdb724ad

SHA256
ead604c1be1da0bf1d70706054799b750180c687bd9213e720384bbb344ad30b

SHA512
3f59097d176aa42e68891788f81579df6d04ef225823cb40fc3beea6ab451678971ce5c0867d50c4928fcaa2410b053e399b26253635621569ba442b445edcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDE9.tmp

Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
memory/776-83-0x0000000000B50000-0x0000000000B6A000-memory.dmp

Filesize
104KB

Download
memory/776-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-93-0x00000000012D0000-0x00000000012E4000-memory.dmp

Filesize
80KB

Download
memory/776-92-0x0000000001330000-0x000000000135E000-memory.dmp

Filesize
184KB

Download
memory/776-91-0x00000000012B0000-0x00000000012BE000-memory.dmp

Filesize
56KB

Download
memory/776-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-90-0x00000000012A0000-0x00000000012B4000-memory.dmp

Filesize
80KB

Download
memory/776-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-68-0x000000000041E792-mapping.dmp

Download
memory/776-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/776-79-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/776-89-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/776-88-0x0000000000EB0000-0x0000000000EC4000-memory.dmp

Filesize
80KB

Download
memory/776-87-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/776-86-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/776-85-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/776-80-0x00000000006E0000-0x00000000006FE000-memory.dmp

Filesize
120KB

Download
memory/776-81-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/776-82-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/776-84-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/1372-54-0x0000000001360000-0x000000000141C000-memory.dmp

Filesize
752KB

Download
memory/1372-73-0x0000000001037000-0x0000000001048000-memory.dmp

Filesize
68KB

Download
memory/1372-57-0x0000000001037000-0x0000000001048000-memory.dmp

Filesize
68KB

Download
memory/1372-59-0x0000000008570000-0x0000000008604000-memory.dmp

Filesize
592KB

Download
memory/1372-56-0x0000000000C80000-0x0000000000C98000-memory.dmp

Filesize
96KB

Download
memory/1372-55-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1372-60-0x0000000004ED0000-0x0000000004F0A000-memory.dmp

Filesize
232KB

Download
memory/1372-58-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/1872-77-0x0000000000000000-mapping.dmp

Download
memory/1908-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads