nanocore | 2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Loader.exe
Size

202KB
MD5

7280028431d7027ec91a5d0e66f10454
SHA1

111c1c8b84a9e594aeddf940887c6ef25ab4ad4d
SHA256

2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea
SHA512

d0910785383246f220bbbe1162c877729deaf4c0cf0fc52ba03cab074f611953876361f680358e3306cd6dd6ddf28ff6e83ec56220e03a6ff2d9cd0601b3e1d4
SSDEEP

6144:gLV6Bta6dtJmakIM5EG1amlMCGx5PkRKMV9BP:gLV6BtpmkvG17lMCGzPK

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

international-linked.gl.at.ply.gg:30954

127.0.0.1:30954

Mutex

32765331-9ec8-4982-a18f-8e2df3122afa

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
buffer_size
65535
build_time
2024-09-26T08:23:36.948900636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
30954
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
32765331-9ec8-4982-a18f-8e2df3122afa
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
international-linked.gl.at.ply.gg
primary_dns_server
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Loader.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe"	Loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe"	Loader.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PCI Subsystem\pciss.exe	Loader.exe
File opened for modification	C:\Program Files (x86)\PCI Subsystem\pciss.exe	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	Loader.exe
4744	Loader.exe
4744	Loader.exe
4744	Loader.exe
4744	Loader.exe
4744	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
912	taskmgr.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
912	taskmgr.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
4116	Loader.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4744	Loader.exe
4116	Loader.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	Loader.exe
Token: SeDebugPrivilege	4744	Loader.exe
Token: SeDebugPrivilege	4744	Loader.exe
Token: SeDebugPrivilege	4116	Loader.exe
Token: SeDebugPrivilege	4116	Loader.exe
Token: 33	404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	404	AUDIODG.EXE
Token: SeDebugPrivilege	912	taskmgr.exe
Token: SeSystemProfilePrivilege	912	taskmgr.exe
Token: SeCreateGlobalPrivilege	912	taskmgr.exe
Token: 33	912	taskmgr.exe
Token: SeIncBasePriorityPrivilege	912	taskmgr.exe
Token: SeDebugPrivilege	4116	Loader.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe
912	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4644	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4116	4744	Loader.exe	95
PID 4744 wrote to memory of 4116	4744	Loader.exe	95
PID 4744 wrote to memory of 4116	4744	Loader.exe	95

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3880855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PCI Subsystem\pciss.exe

Filesize
202KB

MD5
7280028431d7027ec91a5d0e66f10454

SHA1
111c1c8b84a9e594aeddf940887c6ef25ab4ad4d

SHA256
2a7e2209067453a8c3a9c0ca48410bba692f0cda04b8b262f71774c5be6abcea

SHA512
d0910785383246f220bbbe1162c877729deaf4c0cf0fc52ba03cab074f611953876361f680358e3306cd6dd6ddf28ff6e83ec56220e03a6ff2d9cd0601b3e1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Loader.exe.log

Filesize
768B

MD5
c46ede29279a34c143c313c700b12dc0

SHA1
14601e4d19da467e3d926935ff952c2b2df2556d

SHA256
7e361e0d9f67924114b540af44cf4b5a51ac03aa9331c8db6a1f4de14e8717bb

SHA512
ae96987e6146f5c6cb2e4c626dd4eadd4c0f8ed64e0cc70fb98b40787f2467fcd21945ba3ef14af6183b06eac2fea2fa5996f915d4cf7e8284158a39870769f8

Download Submit
C:\Users\Admin\AppData\Roaming\4304ACB9-C3F6-452A-9860-EB4E85D38D4E\catalog.dat

Filesize
232B

MD5
9e7d0351e4df94a9b0badceb6a9db963

SHA1
76c6a69b1c31cea2014d1fd1e222a3dd1e433005

SHA256
aafc7b40c5fe680a2bb549c3b90aabaac63163f74fffc0b00277c6bbff88b757

SHA512
93ccf7e046a3c403ecf8bc4f1a8850ba0180fe18926c98b297c5214eb77bc212c8fbcc58412d0307840cf2715b63be68bacda95aa98e82835c5c53f17ef38511

Download Submit
C:\Users\Admin\AppData\Roaming\4304ACB9-C3F6-452A-9860-EB4E85D38D4E\run.dat

Filesize
8B

MD5
91b828030927e7cb38c7f19162c08879

SHA1
d843ffa1377ac8ff462686b0c1bba8ed823dc846

SHA256
85f9abb08c113179eeeb31533baed0d5a0d9aa14a0fbce3d4c64efcba1d7f9dc

SHA512
533b7a2810af7750f15d58c7acd2ab5d87fc87731e2345cd7820fa862107e6fc02edaac07ef2adc1f62f23e84b05981735271db7e7e5069904266bfd59379ec1

Download Submit
C:\Users\Admin\AppData\Roaming\4304ACB9-C3F6-452A-9860-EB4E85D38D4E\settings.bin

Filesize
40B

MD5
ae0f5e6ce7122af264ec533c6b15a27b

SHA1
1265a495c42eed76cc043d50c60c23297e76cce1

SHA256
73b0b92179c61c26589b47e9732ce418b07edee3860ee5a2a5fb06f3b8aa9b26

SHA512
dd44c2d24d4e3a0f0b988ad3d04683b5cb128298043134649bbe33b2512ce0c9b1a8e7d893b9f66fbbcdd901e2b0646c4533fb6c0c8c4afcb95a0efb95d446f8

Download Submit
C:\Users\Admin\AppData\Roaming\4304ACB9-C3F6-452A-9860-EB4E85D38D4E\storage.dat

Filesize
416KB

MD5
653dddcb6c89f6ec51f3ddc0053c5914

SHA1
4cf7e7d42495ce01c261e4c5c4b8bf6cd76ccee5

SHA256
83b9cae66800c768887fb270728f6806cbebdead9946fa730f01723847f17ff9

SHA512
27a467f2364c21cd1c6c34ef1ca5ffb09b4c3180fc9c025e293374eb807e4382108617bb4b97f8ebbc27581cd6e5988bb5e21276b3cb829c1c0e49a6fc9463a0

Download Submit
memory/912-44-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-38-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-39-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-33-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-34-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-32-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-41-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-40-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-43-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/912-42-0x000002535EC30000-0x000002535EC31000-memory.dmp

Filesize
4KB

Download
memory/4116-15-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-17-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-24-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-26-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-27-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-28-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-29-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-30-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-31-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-18-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4116-48-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-0-0x0000000074E42000-0x0000000074E43000-memory.dmp

Filesize
4KB

Download
memory/4744-12-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-11-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-10-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-9-0x0000000074E42000-0x0000000074E43000-memory.dmp

Filesize
4KB

Download
memory/4744-5-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-2-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-1-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-16-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads