nanocore | da5b1aebdc5aae0e54daef1f80d5e853b2b470fa9225a7d899f80f970c45e904

General

Target

9e1109f17a8fc0e2fb3039c371a96de8_JaffaCakes118.ps1
Size

2.3MB
MD5

9e1109f17a8fc0e2fb3039c371a96de8
SHA1

03169d81d381d05b7312ddfca7b3a6e8441c9439
SHA256

da5b1aebdc5aae0e54daef1f80d5e853b2b470fa9225a7d899f80f970c45e904
SHA512

30d89d02a3bedb5d7fb534a8bdce0df0373bdb5d2d6484e2426d4bcbf3475ae03e5987a34fe81d54d5520d66733b46f4fd328d63d0f4337317e45a842c9a1dd1
SSDEEP

49152:W7cQuKURwwTUboxB9HjYUaFrIxfjEg478i6HL:3

Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.31.239:2100

127.0.0.1:2100

Mutex

114e45fb-ecea-4d0d-8c58-054f50d53d55

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-03-01T08:38:16.974793536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2100
default_group
NEW LEVEL
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
114e45fb-ecea-4d0d-8c58-054f50d53d55
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.31.239
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

zdhq.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions zdhq.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

zdhq.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools zdhq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	zdhq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	zdhq.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zdhq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zdhq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zdhq.exe

Executes dropped EXE 1 IoCs

Processes:

zdhq.exe

pid process

2060 zdhq.exe

pid	process
2060	zdhq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zdhq.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\startupname = "C:\\Users\\Admin\\AppData\\Roaming\\filename.exe"	zdhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

zdhq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	zdhq.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	zdhq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zdhq.exe

description pid process target process

PID 2060 set thread context of 3032 2060 zdhq.exe RegAsm.exe

description	pid	process	target process
PID 2060 set thread context of 3032	2060	zdhq.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Service\lansv.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\LAN Service\lansv.exe	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2944 powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1604 schtasks.exe
1588 schtasks.exe

pid	process
1604	schtasks.exe
1588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exezdhq.exe

pid	process
2944	powershell.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe
2060	zdhq.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

3032 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exezdhq.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2944 powershell.exe
Token: SeDebugPrivilege 2060 zdhq.exe
Token: SeDebugPrivilege 3032 RegAsm.exe

pid	process
3032	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2060	zdhq.exe
Token: SeDebugPrivilege	3032	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

powershell.exezdhq.exeRegAsm.exe

description	pid	process	target process
PID 2944 wrote to memory of 2060	2944	powershell.exe	zdhq.exe
PID 2944 wrote to memory of 2060	2944	powershell.exe	zdhq.exe
PID 2944 wrote to memory of 2060	2944	powershell.exe	zdhq.exe
PID 2944 wrote to memory of 2060	2944	powershell.exe	zdhq.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 2060 wrote to memory of 3032	2060	zdhq.exe	RegAsm.exe
PID 3032 wrote to memory of 1604	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1604	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1604	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1604	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1588	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1588	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1588	3032	RegAsm.exe	schtasks.exe
PID 3032 wrote to memory of 1588	3032	RegAsm.exe	schtasks.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9e1109f17a8fc0e2fb3039c371a96de8_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Public\zdhq.exe
"C:\Users\Public\zdhq.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp312E.tmp"
4⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp31AC.tmp"
4⤵
- Creates scheduled task(s)
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp312E.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31AC.tmp
Filesize
1KB

MD5
6b30dba7972c92c9a1b881e88c108b15

SHA1
f76207985cc5a1f70edb2fb5bd45678f195a4564

SHA256
578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7

SHA512
e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099

Download Submit
C:\Users\Public\zdhq.exe
Filesize
1.6MB

MD5
d9de0dd528e50e98d6b6740893e5747f

SHA1
07139a85b6928a2375acbbe5c9edc2c193e317b6

SHA256
b6ffe3f77d08028ec5f85b4485af07b63a5905350dc7e963ae485760c804e7cc

SHA512
2d22f65c45ae1ac2a644b0f712b600f503313e1aff2af099705cb50c668f2279431cd1ab07e1838a476d96af59be2e3daf45ae3923640b15412357925491fb58

Download Submit
memory/2060-62-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-32-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-56-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-111-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-110-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-109-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2060-58-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-21-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2060-31-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-23-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-50-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-84-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-83-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-80-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-78-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-76-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-75-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-89-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-60-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-70-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-68-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-66-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-64-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-19-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2060-72-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-16-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2060-18-0x0000000000AF0000-0x0000000000C96000-memory.dmp

Filesize
1.6MB

Download
memory/2060-54-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-52-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-48-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-46-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-44-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-42-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-40-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-38-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-36-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-34-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-20-0x0000000000720000-0x000000000078C000-memory.dmp

Filesize
432KB

Download
memory/2060-28-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-86-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-26-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-24-0x0000000000970000-0x0000000000991000-memory.dmp

Filesize
132KB

Download
memory/2060-90-0x00000000042B0000-0x00000000042E8000-memory.dmp

Filesize
224KB

Download
memory/2944-10-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-8-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2944-7-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2944-9-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-4-0x000007FEF616E000-0x000007FEF616F000-memory.dmp

Filesize
4KB

Download
memory/2944-17-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads