nanocore | 510c92f4ed90b092940d8d47585e2a55d1ad71e7ecd87b3e6ec783ab23fc9ed9

General

Target

NaxorCrypter.exe
Size

2.2MB
MD5

b29c154b97950a07caf5aa3e3795a4a1
SHA1

8940008c6630ad14a42f76c72b63341adb406736
SHA256

51a39194cd5c21c1de6e9724f9b5890a2b50f9d7e3b7fa003a5e50beb9559fb4
SHA512

c21b40a6e412f0022da398212ddcf6cfdf51522715297d0275fb2983d936a1ace29f4f8a54f751617fc92121b825424389bdd096b9c59c4cff6a58a57bde7bc3
SSDEEP

24576:NkGGdafLtcWAjB9XvdBqLP2XDBxkdgGAQjdhnF61A5w/8yYBBifgqH3P64F7:G4ovIbqxCTx5w/Xf5f

Score

10^/10

nanocore njrat hacked evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

1337day.ddns.net:1900

Mutex

93979016-0516-4417-b883-a0edc923fe85

Attributes

activate_away_mode
true
backup_connection_host
1337day.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-29T17:12:59.761069736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1900
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
93979016-0516-4417-b883-a0edc923fe85
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

fal92.duckdns.org:10142

Mutex

3d25feee885880d8ab876c66d8b91d84

Attributes

reg_key
3d25feee885880d8ab876c66d8b91d84
splitter
|'|'|

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3268 netsh.exe

pid	process
3268	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NaxorCrypter.exeNaxor.exeCooporation Nvidia.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	NaxorCrypter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Naxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Cooporation Nvidia.exe

Drops startup file 2 IoCs

Processes:

Cooporation Nvidia.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d25feee885880d8ab876c66d8b91d84.exe	Cooporation Nvidia.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d25feee885880d8ab876c66d8b91d84.exe	Cooporation Nvidia.exe

Executes dropped EXE 6 IoCs

Processes:

Naxor.exeCooporation Nvidia.exeNaxor Crypter.exeCooporation Nvidia.exeCooporation Nvidia.exeCooporation Nvidia.exe

pid process

1236 Naxor.exe
2320 Cooporation Nvidia.exe
1196 Naxor Crypter.exe
4996 Cooporation Nvidia.exe
4780 Cooporation Nvidia.exe
3600 Cooporation Nvidia.exe

pid	process
1236	Naxor.exe
2320	Cooporation Nvidia.exe
1196	Naxor Crypter.exe
4996	Cooporation Nvidia.exe
4780	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cooporation Nvidia.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d25feee885880d8ab876c66d8b91d84 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cooporation Nvidia.exe\" .."	Cooporation Nvidia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3d25feee885880d8ab876c66d8b91d84 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cooporation Nvidia.exe\" .."	Cooporation Nvidia.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NaxorCrypter.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NaxorCrypter.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NaxorCrypter.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

Cooporation Nvidia.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	Cooporation Nvidia.exe
File created	C:\Windows\assembly\Desktop.ini	Cooporation Nvidia.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

NaxorCrypter.exeCooporation Nvidia.exeCooporation Nvidia.exe

description	pid	process	target process
PID 4480 set thread context of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 2320 set thread context of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 set thread context of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe

Drops file in Windows directory 3 IoCs

Processes:

Cooporation Nvidia.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	Cooporation Nvidia.exe
File created	C:\Windows\assembly\Desktop.ini	Cooporation Nvidia.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Cooporation Nvidia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2296 schtasks.exe

pid	process
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NaxorCrypter.exeNaxorCrypter.exeCooporation Nvidia.exeCooporation Nvidia.exeCooporation Nvidia.exe

pid	process
4480	NaxorCrypter.exe
4480	NaxorCrypter.exe
4480	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
2320	Cooporation Nvidia.exe
4780	Cooporation Nvidia.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
4476	NaxorCrypter.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe
3600	Cooporation Nvidia.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NaxorCrypter.exe

pid process

4476 NaxorCrypter.exe

pid	process
4476	NaxorCrypter.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

NaxorCrypter.exeNaxorCrypter.exeCooporation Nvidia.exeCooporation Nvidia.exeCooporation Nvidia.exe

description	pid	process
Token: SeDebugPrivilege	4480	NaxorCrypter.exe
Token: SeDebugPrivilege	4476	NaxorCrypter.exe
Token: SeDebugPrivilege	2320	Cooporation Nvidia.exe
Token: SeDebugPrivilege	4780	Cooporation Nvidia.exe
Token: SeDebugPrivilege	3600	Cooporation Nvidia.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

NaxorCrypter.exeNaxor.exeCooporation Nvidia.exeCooporation Nvidia.exeCooporation Nvidia.exeCooporation Nvidia.exe

description	pid	process	target process
PID 4480 wrote to memory of 2296	4480	NaxorCrypter.exe	schtasks.exe
PID 4480 wrote to memory of 2296	4480	NaxorCrypter.exe	schtasks.exe
PID 4480 wrote to memory of 2296	4480	NaxorCrypter.exe	schtasks.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 4476	4480	NaxorCrypter.exe	NaxorCrypter.exe
PID 4480 wrote to memory of 1236	4480	NaxorCrypter.exe	Naxor.exe
PID 4480 wrote to memory of 1236	4480	NaxorCrypter.exe	Naxor.exe
PID 4480 wrote to memory of 1236	4480	NaxorCrypter.exe	Naxor.exe
PID 1236 wrote to memory of 2320	1236	Naxor.exe	Cooporation Nvidia.exe
PID 1236 wrote to memory of 2320	1236	Naxor.exe	Cooporation Nvidia.exe
PID 1236 wrote to memory of 2320	1236	Naxor.exe	Cooporation Nvidia.exe
PID 1236 wrote to memory of 1196	1236	Naxor.exe	Naxor Crypter.exe
PID 1236 wrote to memory of 1196	1236	Naxor.exe	Naxor Crypter.exe
PID 1236 wrote to memory of 1196	1236	Naxor.exe	Naxor Crypter.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 2320 wrote to memory of 4996	2320	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4996 wrote to memory of 4780	4996	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4996 wrote to memory of 4780	4996	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4996 wrote to memory of 4780	4996	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 4780 wrote to memory of 3600	4780	Cooporation Nvidia.exe	Cooporation Nvidia.exe
PID 3600 wrote to memory of 3268	3600	Cooporation Nvidia.exe	netsh.exe
PID 3600 wrote to memory of 3268	3600	Cooporation Nvidia.exe	netsh.exe
PID 3600 wrote to memory of 3268	3600	Cooporation Nvidia.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\NaxorCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\NaxorCrypter.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Crypter\Crypter" /XML "C:\Users\Admin\AppData\Roaming\Crypter\aKKKKK.xml"
2⤵
- Creates scheduled task(s)
PID:2296

C:\Users\Admin\AppData\Local\Temp\NaxorCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\NaxorCrypter.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Users\Admin\AppData\Local\Temp\Naxor.exe
"C:\Users\Admin\AppData\Local\Temp\Naxor.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\Cooporation Nvidia.exe
"C:\Users\Admin\AppData\Local\Temp\Cooporation Nvidia.exe"
3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\Cooporation Nvidia.exe
"C:\Users\Admin\AppData\Local\Temp\Cooporation Nvidia.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Roaming\Cooporation Nvidia.exe
"C:\Users\Admin\AppData\Roaming\Cooporation Nvidia.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Roaming\Cooporation Nvidia.exe
"C:\Users\Admin\AppData\Roaming\Cooporation Nvidia.exe"
6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Cooporation Nvidia.exe" "Cooporation Nvidia.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:3268

C:\Users\Admin\AppData\Local\Temp\Naxor Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Naxor Crypter.exe"
3⤵
- Executes dropped EXE
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Cooporation Nvidia.exe.log
Filesize
499B

MD5
13840f563b7e837c7db570b3332833a5

SHA1
dee01a177a63a813d58653908ccccd693f091676

SHA256
333bbd84120abbd26f38f867b6f96265e55bb01dfd111eb0271d88bde3258a60

SHA512
2f53086d5af59806f29902f693614e344fd0f75dc0deed4f8d18c95bfd2542ed7abd17aa60eeb8cde9d5c9f04ad42c4f87e3438eedf70cd8f5449f806e083ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cooporation Nvidia.exe
Filesize
286KB

MD5
2bb4aaf47de772b665bdab87fa48ee60

SHA1
ccddbd80107f4b854826c92d7e8088d6c3736684

SHA256
a939480354a35391d3b4c970ef4cfa48acbdcabb3c7992b21f947ac9029b9500

SHA512
4e75c2d36e753dd7bc192b2d4575a45a336179659573733dea6c484051c6efda25f4bb7412190c201e3f0f06a785409d130932df588dd69f199da8e9ae81daf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Naxor Crypter.exe
Filesize
1.9MB

MD5
eb62d522aa83250770fb5dfbe3136bda

SHA1
8e1b0a19575ef93cbe4f98b6ed252cf7a450ccdc

SHA256
f2936d5c363aca1604c2daacbfd086572c5956a0796a92f0d8f92001b9d0b971

SHA512
1b24cb54b5c3f907356e402afedee3603e81ceb5858bd3fcb52c349c42afbf6a426e9236d2c871b4191c21a4e799c5af0db0773822dfa6a3be128d776ec78be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Naxor.exe
Filesize
1.1MB

MD5
33dbbf2d55dc60f7c88638c145d0f716

SHA1
36bc559e602d931a6255c4286b7eeb7baf01bf11

SHA256
9333f355306caaf9d0b292c7268e3d3475b297533437a4fa7568b7743be30db6

SHA512
09d88f26867fb8dd1d11e5eecd16d5f952c9c8786ccd6a637ac65da0e2ed127d5ed819110ce344b38cdeec4b2219ead868ea75d3b6a9a6cb8fa53862ec7a7157

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Roaming\Crypter\aKKKKK.xml
Filesize
1KB

MD5
ca6d074a05f58034f6640b0a7a48927a

SHA1
f3c693d4412d18dd14c695cf4287f11df25caf4d

SHA256
1df8651f3825fd8edb9d3fa3294b36da9723c125dcaf594be32e64b334b171ae

SHA512
6cd30ab071ba46cb341ea42c8cbaeeae8d128d5350c4ea4d7124451d85b8a1633c66657d53d41ef1acb0d460acc88cd44b0b264797ed58c5e85652a5cca87427

Download Submit
memory/1196-58-0x0000000005A50000-0x0000000005A5A000-memory.dmp

Filesize
40KB

Download
memory/1196-59-0x0000000005C80000-0x0000000005CD6000-memory.dmp

Filesize
344KB

Download
memory/1196-57-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/1196-56-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/1196-52-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/1196-49-0x0000000000F00000-0x00000000010F6000-memory.dmp

Filesize
2.0MB

Download
memory/4476-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4476-79-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-20-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-18-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-78-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-13-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-26-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4480-0-0x0000000074B42000-0x0000000074B43000-memory.dmp

Filesize
4KB

Download
memory/4480-2-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-1-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4480-22-0x0000000074B40000-0x00000000750F1000-memory.dmp

Filesize
5.7MB

Download
memory/4996-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads