gh0strat | b192e271a7e2d10972dd08122dca3e761225f6f58a4206132230ea64df5b9a2c

General

Target

b192e271a7e2d10972dd08122dca3e761225f6f58a4206132230ea64df5b9a2c.dll
Size

137KB
MD5

ec1e0135bd157cb40d3f31de79e59119
SHA1

6d5b37278bec5156f07746dc713463837ee607aa
SHA256

b192e271a7e2d10972dd08122dca3e761225f6f58a4206132230ea64df5b9a2c
SHA512

1849fa9fd7d6b4cb642cd46c6f953b3654a9845087166e7ed2f4fabdce34b02451e87f68306dbf01be46e1f00ea932cbcd584112c842a9acbe0cafce9aea94fb
SSDEEP

3072:uR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUu:725GgFny61mra

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3432-5-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral2/memory/3432-6-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral2/memory/3432-42-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	3432	rundll32.exe

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 16 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	Spoolsv.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "Spoolsv.exe"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 15 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/3432-5-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect
behavioral2/memory/3432-6-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect
behavioral2/memory/3432-7-0x0000000002860000-0x000000000287D000-memory.dmp	acprotect
behavioral2/memory/3432-13-0x0000000002860000-0x000000000287D000-memory.dmp	acprotect
behavioral2/memory/3432-16-0x0000000002860000-0x000000000287D000-memory.dmp	acprotect
behavioral2/memory/3432-14-0x0000000002860000-0x000000000287D000-memory.dmp	acprotect
behavioral2/memory/3432-12-0x0000000002860000-0x000000000287D000-memory.dmp	acprotect
behavioral2/memory/3432-10-0x0000000002860000-0x000000000287D000-memory.dmp	acprotect
behavioral2/memory/1844-29-0x0000000003520000-0x000000000353D000-memory.dmp	acprotect
behavioral2/memory/1844-24-0x0000000003520000-0x000000000353D000-memory.dmp	acprotect
behavioral2/memory/1844-28-0x0000000003520000-0x000000000353D000-memory.dmp	acprotect
behavioral2/memory/1844-30-0x0000000003520000-0x000000000353D000-memory.dmp	acprotect
behavioral2/memory/1844-27-0x0000000003520000-0x000000000353D000-memory.dmp	acprotect
behavioral2/memory/1844-25-0x0000000003520000-0x000000000353D000-memory.dmp	acprotect
behavioral2/memory/3432-42-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe
File created	C:\Windows\SysWOW64\Miscson.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\scsimon.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Miscson.dll	svchost.exe
File created	C:\Windows\SysWOW64\Miscson.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\scsimon.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Miscson.dll	rundll32.exe
File created	C:\Windows\SysWOW64\scsimon.dll	rundll32.exe
File created	C:\Windows\SysWOW64\scsimon.dll	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 1844	3432	rundll32.exe	90

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\AcSvcst.dll	rundll32.exe
File created	C:\Windows\AppPatch\AcSvcst.dll	rundll32.exe
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4704	3432	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	Spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	Spoolsv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3432	rundll32.exe
Token: SeDebugPrivilege	1844	svchost.exe
Token: SeDebugPrivilege	3432	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3432	4916	rundll32.exe	87
PID 4916 wrote to memory of 3432	4916	rundll32.exe	87
PID 4916 wrote to memory of 3432	4916	rundll32.exe	87
PID 3432 wrote to memory of 1844	3432	rundll32.exe	90
PID 3432 wrote to memory of 1844	3432	rundll32.exe	90
PID 3432 wrote to memory of 1844	3432	rundll32.exe	90
PID 3432 wrote to memory of 1844	3432	rundll32.exe	90

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b192e271a7e2d10972dd08122dca3e761225f6f58a4206132230ea64df5b9a2c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b192e271a7e2d10972dd08122dca3e761225f6f58a4206132230ea64df5b9a2c.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe -k rundll32
    3⤵
    - Boot or Logon Autostart Execution: Port Monitors
    - Sets service image path in registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 668
    3⤵
    - Program crash
    PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432
1⤵
PID:1496

C:\Windows\system32\Spoolsv.exe
Spoolsv.exe
1⤵
PID:3000

C:\Windows\system32\Spoolsv.exe
Spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Port Monitors

1

T1547.010

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Port Monitors

1

T1547.010

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\ComBack.Dll

Filesize
137KB

MD5
247bf2b16b5d523989ef10df25849e33

SHA1
eca8ba51133e3f4185995a907d5bc2cb45bf1787

SHA256
87d4356db948df5bacae8ce2dc3e6c1dae2083ae9f6f635c586d892433f8506f

SHA512
69e220775317ee0433d989eaefac085fbdad4a15f0de6a27d1f6aacaecabc0f6242b9439d720a8d9ac79c0c447df55a9f07399c7b4cd392c0b8aae0c6566db9e

Download Submit
C:\Windows\SysWOW64\Miscson.dll

Filesize
137KB

MD5
c6e636b550ace106ebe7ce254c2d631e

SHA1
687f13298d2102330b9ea6ec70be5e6df869138e

SHA256
a979cc8490b9b9927c78b27258d332ebf69561ca509b6e21730ea9289e0d770d

SHA512
6a563fac2e5430a207c7d94e50b84055f175418c191aca77538ae956688ad59c528d79cce5fb8f22a765294e80bc4c7d4ce8efd7b9b7d9cafdb202e6a59a6f09

Download Submit
C:\Windows\SysWOW64\com\comb.dll

Filesize
128B

MD5
de2af9d1d799c1b67fe16f0eff6a7e27

SHA1
124ae19b0278f9e57a021371440282e6f1607d09

SHA256
d628b53623234276f24a4c5ce2d0d3fa305bb8a50340f5f03d52efc58c33e9c1

SHA512
ca3c2c91e0addb9384630b17a1213f80b424bd6ec4aa221d14478bd7810378f7a6452833e23466fefa63401f52b888cecba07ae727b04938bf9842e6710e9a3e

Download Submit
C:\Windows\SysWOW64\com\comb.dll

Filesize
247B

MD5
3d7ccdebeccf70c50d5d0f75758101ad

SHA1
8f09a087084506734a523f35b0411822eef2a822

SHA256
76f990f6a19f4876ae5c31132d0ba974c773b1575003a8da547de5d7da9178fe

SHA512
f65ee6761d41af6e80a8f9c530502eae573ccb897f82a3180e1170bad7e558ad2865169675381d968c3d08004f86220e1849c6be2628e8bb71fd9947392825bd

Download Submit
C:\Windows\SysWOW64\com\comb.dll

Filesize
326B

MD5
abaa70f791c467750b1b8c26822f1d90

SHA1
649e1e913ddbf7922ac6f7a54f364938bd451b39

SHA256
6a74951e0d1d408533253022015214f358ce282c72f3293b3fe4b2dc229b9a8b

SHA512
4ee72ab77cddb0ca78e03cd6e48e1166f8e4e843ef06611e1d93ffabd48fc45ebf5fda989dd2f0d2c03c9f97715c8d65e3a872ddb63e857d255db957d2d52069

Download Submit
C:\Windows\SysWOW64\scsimon.dll

Filesize
137KB

MD5
727db0934b7a8ad27b0350feb41d7044

SHA1
c3dcb9380a66152416e1bb6e3686a7944574b69c

SHA256
2f6d4e17409db7631637d6ab56632e682f908e93f8906597e166856b19c0b31b

SHA512
b59d7232e4af44b43569759012930243cf868c64c5e7255ce0b2d396d6979e9acb199f0f7d42475e9c5f42d90424c8e279b131c53b77e3f28b3859f17ae7568b

Download Submit
memory/1844-17-0x0000000000F20000-0x0000000000F43000-memory.dmp

Filesize
140KB

Download
memory/1844-31-0x00000000016D0000-0x00000000016F7000-memory.dmp

Filesize
156KB

Download
memory/1844-15-0x00000000016D0000-0x00000000016F7000-memory.dmp

Filesize
156KB

Download
memory/1844-25-0x0000000003520000-0x000000000353D000-memory.dmp

Filesize
116KB

Download
memory/1844-27-0x0000000003520000-0x000000000353D000-memory.dmp

Filesize
116KB

Download
memory/1844-30-0x0000000003520000-0x000000000353D000-memory.dmp

Filesize
116KB

Download
memory/1844-18-0x00000000016D0000-0x00000000016F7000-memory.dmp

Filesize
156KB

Download
memory/1844-29-0x0000000003520000-0x000000000353D000-memory.dmp

Filesize
116KB

Download
memory/1844-24-0x0000000003520000-0x000000000353D000-memory.dmp

Filesize
116KB

Download
memory/1844-28-0x0000000003520000-0x000000000353D000-memory.dmp

Filesize
116KB

Download
memory/3432-5-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3432-10-0x0000000002860000-0x000000000287D000-memory.dmp

Filesize
116KB

Download
memory/3432-12-0x0000000002860000-0x000000000287D000-memory.dmp

Filesize
116KB

Download
memory/3432-14-0x0000000002860000-0x000000000287D000-memory.dmp

Filesize
116KB

Download
memory/3432-16-0x0000000002860000-0x000000000287D000-memory.dmp

Filesize
116KB

Download
memory/3432-42-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3432-44-0x0000000043E50000-0x0000000043E77000-memory.dmp

Filesize
156KB

Download
memory/3432-13-0x0000000002860000-0x000000000287D000-memory.dmp

Filesize
116KB

Download
memory/3432-7-0x0000000002860000-0x000000000287D000-memory.dmp

Filesize
116KB

Download
memory/3432-6-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads