nanocore | 62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83

General

Target

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
Size

697KB
MD5

c4c93bc9f72bed159b6b2eba554d9ff9
SHA1

5064d1765a61f37b166eccea7747d27e41332c67
SHA256

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83
SHA512

d313f7791c09e47a832d0934a5e8875f580ac05c0d30f90263c4fa7dc6119cc6e34bdd328d2d1761f2fb82b318ebbacd64b656a5082724b4e181edc04290f409
SSDEEP

12288:Fi0pei36RcXKEl4qS5e99HNkaMAU7Bv7zB8tbcCt4pJ:FFpp36+6EWRerNTnU7BT2lco4

Score

10^/10

nanocore execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

december2n.duckdns.org:65140

december2nd.ddns.net:65140

Mutex

899d14c1-6714-492c-b745-3165bff717a5

Attributes

activate_away_mode
false
backup_connection_host
december2nd.ddns.net
backup_dns_server
buffer_size
65535
build_time
2024-02-27T02:16:51.671967236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
65140
default_group
NO GREE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
899d14c1-6714-492c-b745-3165bff717a5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
december2n.duckdns.org
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4464 powershell.exe
5056 powershell.exe

pid	process
4464	powershell.exe
5056	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe

description	pid	process	target process
PID 4480 set thread context of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Monitor\lanmon.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\LAN Monitor\lanmon.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3352 schtasks.exe
2952 schtasks.exe
2592 schtasks.exe

pid	process
3352	schtasks.exe
2952	schtasks.exe
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4464	powershell.exe
5056	powershell.exe
4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
4464	powershell.exe
5056	powershell.exe
2128	RegSvcs.exe
2128	RegSvcs.exe
2128	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

2128 RegSvcs.exe

pid	process
2128	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2128	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exeRegSvcs.exe

description	pid	process	target process
PID 4480 wrote to memory of 4464	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	powershell.exe
PID 4480 wrote to memory of 4464	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	powershell.exe
PID 4480 wrote to memory of 4464	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	powershell.exe
PID 4480 wrote to memory of 5056	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	powershell.exe
PID 4480 wrote to memory of 5056	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	powershell.exe
PID 4480 wrote to memory of 5056	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	powershell.exe
PID 4480 wrote to memory of 3352	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	schtasks.exe
PID 4480 wrote to memory of 3352	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	schtasks.exe
PID 4480 wrote to memory of 3352	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	schtasks.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 4480 wrote to memory of 2128	4480	62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe	RegSvcs.exe
PID 2128 wrote to memory of 2952	2128	RegSvcs.exe	schtasks.exe
PID 2128 wrote to memory of 2952	2128	RegSvcs.exe	schtasks.exe
PID 2128 wrote to memory of 2952	2128	RegSvcs.exe	schtasks.exe
PID 2128 wrote to memory of 2592	2128	RegSvcs.exe	schtasks.exe
PID 2128 wrote to memory of 2592	2128	RegSvcs.exe	schtasks.exe
PID 2128 wrote to memory of 2592	2128	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe
"C:\Users\Admin\AppData\Local\Temp\62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\62ce4e89f91a70f82f5a61bf76c4ab592982f761eef609bd7ea7b196f9415e83.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aJDyPjUKcXvqr.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aJDyPjUKcXvqr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp"
2⤵
- Creates scheduled task(s)
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp"
3⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBC8A.tmp"
3⤵
- Creates scheduled task(s)
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1a5ff9597c4836920f8212b2fc8271b8

SHA1
6d72a9f5d6f32192a366d5effffc8f4aad70b7f1

SHA256
259beb6e2769ca0787e3264a3810cdaa70f1fab1f8090ba1191d20b950450bc5

SHA512
f2ad65b45b74ef8b8ba19d4b2576c320d472ff750fe7721b571dd49489ebf888a8613981d398fcb281a79183c2fe270e9bc38ff64afcdd9f07cd01fa73886a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4lcyr41.jww.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp
Filesize
1KB

MD5
77580ac48611ba539feacf7422dec739

SHA1
6e4c803311421bb945580b0a449e58dbafa5a1c5

SHA256
72a501e00367894577e7a389cf03c2e658d76d2126d64570cf8aefa0662abb23

SHA512
b9c657d8aa9d0a936f0d31757fb248bd66b6d3bd68dc6a4719fbf8295f7ec0f99f2093317bf4e612da07684557aafa8069fc94e725e172864821ab2ce000a836

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp
Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC8A.tmp
Filesize
1KB

MD5
ecf141ec69adbb2a5c3dd5c85cd0ec39

SHA1
0ad224632fa58d103142c05c44a142f3d7208291

SHA256
64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316

SHA512
4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

Download Submit
memory/2128-55-0x00000000058B0000-0x00000000058BC000-memory.dmp

Filesize
48KB

Download
memory/2128-56-0x00000000059E0000-0x00000000059FE000-memory.dmp

Filesize
120KB

Download
memory/2128-57-0x0000000005A80000-0x0000000005A8A000-memory.dmp

Filesize
40KB

Download
memory/2128-54-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/2128-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4464-46-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/4464-70-0x00000000751E0000-0x000000007522C000-memory.dmp

Filesize
304KB

Download
memory/4464-16-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download
memory/4464-94-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download
memory/4464-18-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/4464-88-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/4464-21-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/4464-23-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/4464-22-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4464-87-0x00000000077B0000-0x00000000077C4000-memory.dmp

Filesize
80KB

Download
memory/4464-15-0x0000000004C70000-0x0000000004CA6000-memory.dmp

Filesize
216KB

Download
memory/4464-30-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-85-0x0000000007770000-0x0000000007781000-memory.dmp

Filesize
68KB

Download
memory/4464-45-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/4464-84-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/4464-83-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/4480-9-0x000000000D2C0000-0x000000000D33C000-memory.dmp

Filesize
496KB

Download
memory/4480-7-0x00000000058E0000-0x00000000058EC000-memory.dmp

Filesize
48KB

Download
memory/4480-4-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download
memory/4480-3-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/4480-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/4480-17-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download
memory/4480-1-0x00000000007E0000-0x0000000000894000-memory.dmp

Filesize
720KB

Download
memory/4480-10-0x0000000010AA0000-0x0000000010B3C000-memory.dmp

Filesize
624KB

Download
memory/4480-8-0x0000000002C60000-0x0000000002C70000-memory.dmp

Filesize
64KB

Download
memory/4480-6-0x00000000058C0000-0x00000000058E2000-memory.dmp

Filesize
136KB

Download
memory/4480-0-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download
memory/4480-5-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/5056-82-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/5056-81-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/5056-71-0x0000000007700000-0x00000000077A3000-memory.dmp

Filesize
652KB

Download
memory/5056-86-0x0000000007A60000-0x0000000007A6E000-memory.dmp

Filesize
56KB

Download
memory/5056-20-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download
memory/5056-69-0x00000000076E0000-0x00000000076FE000-memory.dmp

Filesize
120KB

Download
memory/5056-89-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/5056-58-0x0000000007480000-0x00000000074B2000-memory.dmp

Filesize
200KB

Download
memory/5056-59-0x00000000751E0000-0x000000007522C000-memory.dmp

Filesize
304KB

Download
memory/5056-95-0x00007FFB340B0000-0x00007FFB342A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads