nanocore | da5b1aebdc5aae0e54daef1f80d5e853b2b470fa9225a7d899f80f970c45e904

General

Target

9e1109f17a8fc0e2fb3039c371a96de8_JaffaCakes118.ps1
Size

2.3MB
MD5

9e1109f17a8fc0e2fb3039c371a96de8
SHA1

03169d81d381d05b7312ddfca7b3a6e8441c9439
SHA256

da5b1aebdc5aae0e54daef1f80d5e853b2b470fa9225a7d899f80f970c45e904
SHA512

30d89d02a3bedb5d7fb534a8bdce0df0373bdb5d2d6484e2426d4bcbf3475ae03e5987a34fe81d54d5520d66733b46f4fd328d63d0f4337317e45a842c9a1dd1
SSDEEP

49152:W7cQuKURwwTUboxB9HjYUaFrIxfjEg478i6HL:3

Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.31.239:2100

127.0.0.1:2100

Mutex

114e45fb-ecea-4d0d-8c58-054f50d53d55

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-03-01T08:38:16.974793536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2100
default_group
NEW LEVEL
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
114e45fb-ecea-4d0d-8c58-054f50d53d55
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.31.239
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

smzi.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions smzi.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

smzi.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools smzi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	smzi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	smzi.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smzi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smzi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smzi.exe

Executes dropped EXE 1 IoCs

Processes:

smzi.exe

pid process

4504 smzi.exe

pid	process
4504	smzi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

smzi.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startupname = "C:\\Users\\Admin\\AppData\\Roaming\\filename.exe"	smzi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smzi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	smzi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smzi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

smzi.exe

description pid process target process

PID 4504 set thread context of 2232 4504 smzi.exe RegAsm.exe

description	pid	process	target process
PID 4504 set thread context of 2232	4504	smzi.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Subsystem\dpiss.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\DPI Subsystem\dpiss.exe	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4952 powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

548 schtasks.exe
2052 schtasks.exe

pid	process
548	schtasks.exe
2052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exesmzi.exe

pid	process
4952	powershell.exe
4952	powershell.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe
4504	smzi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2232 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exesmzi.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4952 powershell.exe
Token: SeDebugPrivilege 4504 smzi.exe
Token: SeDebugPrivilege 2232 RegAsm.exe

pid	process
2232	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4504	smzi.exe
Token: SeDebugPrivilege	2232	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

powershell.exesmzi.exeRegAsm.exe

description	pid	process	target process
PID 4952 wrote to memory of 4504	4952	powershell.exe	smzi.exe
PID 4952 wrote to memory of 4504	4952	powershell.exe	smzi.exe
PID 4952 wrote to memory of 4504	4952	powershell.exe	smzi.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 4504 wrote to memory of 2232	4504	smzi.exe	RegAsm.exe
PID 2232 wrote to memory of 548	2232	RegAsm.exe	schtasks.exe
PID 2232 wrote to memory of 548	2232	RegAsm.exe	schtasks.exe
PID 2232 wrote to memory of 548	2232	RegAsm.exe	schtasks.exe
PID 2232 wrote to memory of 2052	2232	RegAsm.exe	schtasks.exe
PID 2232 wrote to memory of 2052	2232	RegAsm.exe	schtasks.exe
PID 2232 wrote to memory of 2052	2232	RegAsm.exe	schtasks.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9e1109f17a8fc0e2fb3039c371a96de8_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Public\smzi.exe
"C:\Users\Public\smzi.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6A91.tmp"
4⤵
- Creates scheduled task(s)
PID:548

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6AFF.tmp"
4⤵
- Creates scheduled task(s)
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejmxihgb.pcl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A91.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AFF.tmp
Filesize
1KB

MD5
5fea24e883e06e4df6d240dc72abf2c5

SHA1
d778bf0f436141e02df4b421e8188abdcc9a84a4

SHA256
e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66

SHA512
15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

Download Submit
C:\Users\Public\smzi.exe
Filesize
1.6MB

MD5
d9de0dd528e50e98d6b6740893e5747f

SHA1
07139a85b6928a2375acbbe5c9edc2c193e317b6

SHA256
b6ffe3f77d08028ec5f85b4485af07b63a5905350dc7e963ae485760c804e7cc

SHA512
2d22f65c45ae1ac2a644b0f712b600f503313e1aff2af099705cb50c668f2279431cd1ab07e1838a476d96af59be2e3daf45ae3923640b15412357925491fb58

Download Submit
memory/2232-98-0x0000000070612000-0x0000000070613000-memory.dmp

Filesize
4KB

Download
memory/2232-112-0x0000000070610000-0x0000000070BC1000-memory.dmp

Filesize
5.7MB

Download
memory/2232-111-0x0000000070612000-0x0000000070613000-memory.dmp

Filesize
4KB

Download
memory/2232-101-0x0000000070610000-0x0000000070BC1000-memory.dmp

Filesize
5.7MB

Download
memory/2232-99-0x0000000070610000-0x0000000070BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4504-65-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-23-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4504-28-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-39-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-91-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-96-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4504-95-0x0000000005C30000-0x0000000005C68000-memory.dmp

Filesize
224KB

Download
memory/4504-94-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

Filesize
624KB

Download
memory/4504-90-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-87-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-25-0x0000000005110000-0x0000000005138000-memory.dmp

Filesize
160KB

Download
memory/4504-85-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-83-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-81-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-79-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-77-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-75-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-73-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-71-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-69-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-67-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-24-0x0000000005090000-0x00000000050FC000-memory.dmp

Filesize
432KB

Download
memory/4504-64-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-61-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-59-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-26-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/4504-57-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-55-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-54-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-51-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-50-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-47-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-45-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-43-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-41-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-38-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-35-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-33-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-31-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-29-0x0000000005110000-0x0000000005131000-memory.dmp

Filesize
132KB

Download
memory/4504-20-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/4504-21-0x00000000004D0000-0x0000000000676000-memory.dmp

Filesize
1.6MB

Download
memory/4504-22-0x00000000054A0000-0x00000000059CC000-memory.dmp

Filesize
5.2MB

Download
memory/4504-108-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/4504-109-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4504-110-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp

Filesize
8KB

Download
memory/4952-10-0x00000222C22B0000-0x00000222C22D2000-memory.dmp

Filesize
136KB

Download
memory/4952-11-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-12-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4952-19-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads