nanocore | 45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1

General

Target

MAJSUKDOLR-COPY.exe
Size

500.0MB
MD5

65401fd8ceadff6d78f5484255fa1b35
SHA1

df03cee3ff44dbef34f470aeb5118195c731324c
SHA256

45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1
SHA512

3b5760bfb04cf1e3b3ddfc07aeef3dde53bf849601958d8d42b49edf88eaa09c106e47c691d71f31743b33f0067cd2296c38edfbaaef3c548ec6f3dacfeb73b2
SSDEEP

6144:zzR0netQObEM9xDoHUfz/Wm071uBuS+E7nH/v9xuEcPvZBvYZE:zzRceDbtWAz/W5aL/v9wEW

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

nano8100.duckdns.org:8100

Mutex

ea2df3dd-6f75-4cfc-bf5b-706727f74cdd

Attributes

activate_away_mode
true
backup_connection_host
nano8100.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-02-15T20:53:01.763064736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8100
default_group
may 8100
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ea2df3dd-6f75-4cfc-bf5b-706727f74cdd
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
nano8100.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 5 IoCs

Processes:

hhkh.exehhkh.exehhkh.exehhkh.exehhkh.exe

pid process

832 hhkh.exe
628 hhkh.exe
1340 hhkh.exe
1968 hhkh.exe
832 hhkh.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

pid	process
832	hhkh.exe
628	hhkh.exe
1340	hhkh.exe
1968	hhkh.exe
832	hhkh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

MAJSUKDOLR-COPY.exehhkh.exehhkh.exehhkh.exehhkh.exe

description	pid	process	target process
PID 1120 set thread context of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 832 set thread context of 1620	832	hhkh.exe	RegAsm.exe
PID 628 set thread context of 960	628	hhkh.exe	RegAsm.exe
PID 1340 set thread context of 1872	1340	hhkh.exe	RegAsm.exe
PID 1968 set thread context of 1452	1968	hhkh.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1712 schtasks.exe
1744 schtasks.exe
1164 schtasks.exe
1620 schtasks.exe
628 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RegAsm.exe

pid process

1848 RegAsm.exe
1848 RegAsm.exe
1848 RegAsm.exe
1848 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1848 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1848 RegAsm.exe

pid	process
1712	schtasks.exe
1744	schtasks.exe
1164	schtasks.exe
1620	schtasks.exe
628	schtasks.exe

pid	process
1848	RegAsm.exe
1848	RegAsm.exe
1848	RegAsm.exe
1848	RegAsm.exe

pid	process
1848	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1848	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MAJSUKDOLR-COPY.execmd.exetaskeng.exehhkh.execmd.exehhkh.exe

description	pid	process	target process
PID 1120 wrote to memory of 704	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 704	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 704	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 704	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 880	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 880	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 880	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 1120 wrote to memory of 880	1120	MAJSUKDOLR-COPY.exe	cmd.exe
PID 704 wrote to memory of 1712	704	cmd.exe	schtasks.exe
PID 704 wrote to memory of 1712	704	cmd.exe	schtasks.exe
PID 704 wrote to memory of 1712	704	cmd.exe	schtasks.exe
PID 704 wrote to memory of 1712	704	cmd.exe	schtasks.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1120 wrote to memory of 1848	1120	MAJSUKDOLR-COPY.exe	RegAsm.exe
PID 1508 wrote to memory of 832	1508	taskeng.exe	hhkh.exe
PID 1508 wrote to memory of 832	1508	taskeng.exe	hhkh.exe
PID 1508 wrote to memory of 832	1508	taskeng.exe	hhkh.exe
PID 1508 wrote to memory of 832	1508	taskeng.exe	hhkh.exe
PID 832 wrote to memory of 1504	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 1504	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 1504	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 1504	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 2004	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 2004	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 2004	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 2004	832	hhkh.exe	cmd.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 1504 wrote to memory of 1744	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1744	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1744	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1744	1504	cmd.exe	schtasks.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 832 wrote to memory of 1620	832	hhkh.exe	RegAsm.exe
PID 1508 wrote to memory of 628	1508	taskeng.exe	hhkh.exe
PID 1508 wrote to memory of 628	1508	taskeng.exe	hhkh.exe
PID 1508 wrote to memory of 628	1508	taskeng.exe	hhkh.exe
PID 1508 wrote to memory of 628	1508	taskeng.exe	hhkh.exe
PID 628 wrote to memory of 1996	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1996	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1996	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1996	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1908	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1908	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1908	628	hhkh.exe	cmd.exe
PID 628 wrote to memory of 1908	628	hhkh.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MAJSUKDOLR-COPY.exe
"C:\Users\Admin\AppData\Local\Temp\MAJSUKDOLR-COPY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\MAJSUKDOLR-COPY.exe" "C:\Users\Admin\AppData\Roaming\hhkh.exe"
2⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\taskeng.exe
taskeng.exe {BADD0653-4C42-4700-B4B2-1E659007676E} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\hhkh.exe
C:\Users\Admin\AppData\Roaming\hhkh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hhkh.exe" "C:\Users\Admin\AppData\Roaming\hhkh.exe"
3⤵
PID:2004

C:\Users\Admin\AppData\Roaming\hhkh.exe
C:\Users\Admin\AppData\Roaming\hhkh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
3⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hhkh.exe" "C:\Users\Admin\AppData\Roaming\hhkh.exe"
3⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:960

C:\Users\Admin\AppData\Roaming\hhkh.exe
C:\Users\Admin\AppData\Roaming\hhkh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1340

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
3⤵
PID:1776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hhkh.exe" "C:\Users\Admin\AppData\Roaming\hhkh.exe"
3⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1872

C:\Users\Admin\AppData\Roaming\hhkh.exe
C:\Users\Admin\AppData\Roaming\hhkh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1968

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
3⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hhkh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hhkh.exe" "C:\Users\Admin\AppData\Roaming\hhkh.exe"
3⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1452

C:\Users\Admin\AppData\Roaming\hhkh.exe
C:\Users\Admin\AppData\Roaming\hhkh.exe
2⤵
- Executes dropped EXE
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hhkh.exe
Filesize
500.0MB

MD5
65401fd8ceadff6d78f5484255fa1b35

SHA1
df03cee3ff44dbef34f470aeb5118195c731324c

SHA256
45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1

SHA512
3b5760bfb04cf1e3b3ddfc07aeef3dde53bf849601958d8d42b49edf88eaa09c106e47c691d71f31743b33f0067cd2296c38edfbaaef3c548ec6f3dacfeb73b2

Download Submit
C:\Users\Admin\AppData\Roaming\hhkh.exe
Filesize
500.0MB

MD5
65401fd8ceadff6d78f5484255fa1b35

SHA1
df03cee3ff44dbef34f470aeb5118195c731324c

SHA256
45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1

SHA512
3b5760bfb04cf1e3b3ddfc07aeef3dde53bf849601958d8d42b49edf88eaa09c106e47c691d71f31743b33f0067cd2296c38edfbaaef3c548ec6f3dacfeb73b2

Download Submit
C:\Users\Admin\AppData\Roaming\hhkh.exe
Filesize
500.0MB

MD5
65401fd8ceadff6d78f5484255fa1b35

SHA1
df03cee3ff44dbef34f470aeb5118195c731324c

SHA256
45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1

SHA512
3b5760bfb04cf1e3b3ddfc07aeef3dde53bf849601958d8d42b49edf88eaa09c106e47c691d71f31743b33f0067cd2296c38edfbaaef3c548ec6f3dacfeb73b2

Download Submit
C:\Users\Admin\AppData\Roaming\hhkh.exe
Filesize
233.6MB

MD5
7840010b2140f8e7fa97ca2633f81751

SHA1
b420c3a5350a6ffee57cb1ddf52368c1b3858d0e

SHA256
dc9743099df49037b305710adbc2cf33b31901375551a53533c23efab5eef432

SHA512
d7db9af8ef7354544070ac0208a24473b2213a2dfd29727be584339240c72a9c3e377fb293bc4f3229a85cd0763bfcf4cee56f06a0028e8ad4cc7ff99d83bf26

Download Submit
C:\Users\Admin\AppData\Roaming\hhkh.exe
Filesize
500.0MB

MD5
65401fd8ceadff6d78f5484255fa1b35

SHA1
df03cee3ff44dbef34f470aeb5118195c731324c

SHA256
45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1

SHA512
3b5760bfb04cf1e3b3ddfc07aeef3dde53bf849601958d8d42b49edf88eaa09c106e47c691d71f31743b33f0067cd2296c38edfbaaef3c548ec6f3dacfeb73b2

Download Submit
C:\Users\Admin\AppData\Roaming\hhkh.exe
Filesize
500.0MB

MD5
65401fd8ceadff6d78f5484255fa1b35

SHA1
df03cee3ff44dbef34f470aeb5118195c731324c

SHA256
45c33bd71b10c7b6ccc4ea712eac64993e3b5fb907fe210d4ebacd3c2e320ac1

SHA512
3b5760bfb04cf1e3b3ddfc07aeef3dde53bf849601958d8d42b49edf88eaa09c106e47c691d71f31743b33f0067cd2296c38edfbaaef3c548ec6f3dacfeb73b2

Download Submit
memory/628-159-0x0000000000000000-mapping.dmp

Download
memory/628-111-0x0000000001310000-0x0000000001362000-memory.dmp

Filesize
328KB

Download
memory/628-109-0x0000000000000000-mapping.dmp

Download
memory/704-56-0x0000000000000000-mapping.dmp

Download
memory/796-139-0x0000000000000000-mapping.dmp

Download
memory/832-173-0x0000000000000000-mapping.dmp

Download
memory/832-175-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/832-91-0x0000000001210000-0x0000000001262000-memory.dmp

Filesize
328KB

Download
memory/832-89-0x0000000000000000-mapping.dmp

Download
memory/880-57-0x0000000000000000-mapping.dmp

Download
memory/960-129-0x0000000000090000-0x00000000000C8000-memory.dmp

Filesize
224KB

Download
memory/960-132-0x0000000000090000-0x00000000000C8000-memory.dmp

Filesize
224KB

Download
memory/960-123-0x000000000041E792-mapping.dmp

Download
memory/960-125-0x0000000000090000-0x00000000000C8000-memory.dmp

Filesize
224KB

Download
memory/1080-157-0x0000000000000000-mapping.dmp

Download
memory/1120-54-0x0000000000070000-0x00000000000C2000-memory.dmp

Filesize
328KB

Download
memory/1120-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1164-121-0x0000000000000000-mapping.dmp

Download
memory/1340-136-0x00000000013C0000-0x0000000001412000-memory.dmp

Filesize
328KB

Download
memory/1340-134-0x0000000000000000-mapping.dmp

Download
memory/1452-167-0x000000000041E792-mapping.dmp

Download
memory/1504-93-0x0000000000000000-mapping.dmp

Download
memory/1620-146-0x0000000000000000-mapping.dmp

Download
memory/1620-103-0x000000000041E792-mapping.dmp

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download
memory/1744-95-0x0000000000000000-mapping.dmp

Download
memory/1776-138-0x0000000000000000-mapping.dmp

Download
memory/1848-87-0x0000000004BB0000-0x0000000004BC4000-memory.dmp

Filesize
80KB

Download
memory/1848-85-0x0000000004740000-0x000000000474E000-memory.dmp

Filesize
56KB

Download
memory/1848-72-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1848-73-0x00000000005F0000-0x000000000060E000-memory.dmp

Filesize
120KB

Download
memory/1848-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-66-0x000000000041E792-mapping.dmp

Download
memory/1848-77-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download
memory/1848-78-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/1848-74-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/1848-75-0x0000000004CB5000-0x0000000004CC6000-memory.dmp

Filesize
68KB

Download
memory/1848-76-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/1848-86-0x0000000004C70000-0x0000000004C9E000-memory.dmp

Filesize
184KB

Download
memory/1848-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-84-0x0000000004730000-0x0000000004744000-memory.dmp

Filesize
80KB

Download
memory/1848-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-83-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/1848-82-0x0000000002340000-0x0000000002354000-memory.dmp

Filesize
80KB

Download
memory/1848-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-81-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download
memory/1848-79-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/1848-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-80-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/1872-148-0x000000000041E792-mapping.dmp

Download
memory/1908-114-0x0000000000000000-mapping.dmp

Download
memory/1968-154-0x0000000000000000-mapping.dmp

Download
memory/1996-158-0x0000000000000000-mapping.dmp

Download
memory/1996-113-0x0000000000000000-mapping.dmp

Download
memory/2004-94-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads