gh0strat | 47fd4fcbad0d377d2a4be0e17c4f58ec3de3ccb71b7c1107070c3b14ced7d7b9

General

Target

47fd4fcbad0d377d2a4be0e17c4f58ec3de3ccb71b7c1107070c3b14ced7d7b9.dll
Size

137KB
MD5

946389dc464e29da1f3448537cdd1afa
SHA1

08fcb8233737bf7b6b0ccc5f64b7225372c1e56f
SHA256

47fd4fcbad0d377d2a4be0e17c4f58ec3de3ccb71b7c1107070c3b14ced7d7b9
SHA512

a43a8730f0978a5730e39e3c5de7c7e8c546445ecf2ab5feda4ec15e1ad8a7b435c27391d9cf785943efaf3f1bb99179ca1c6dcf4a0d72de5b266fb6f1184f73
SSDEEP

3072:RR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuz:825GgFny61mraB

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/2936-6-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral2/memory/2936-5-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral2/memory/5024-22-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat
behavioral2/memory/2936-42-0x0000000010000000-0x000000001001C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2936	rundll32.exe

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 16 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	Spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	Spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	Spoolsv.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Spooler\ImagePath = "Spoolsv.exe"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/2936-6-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect
behavioral2/memory/2936-5-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect
behavioral2/memory/2936-7-0x00000000027E0000-0x00000000027FD000-memory.dmp	acprotect
behavioral2/memory/2936-10-0x00000000027E0000-0x00000000027FD000-memory.dmp	acprotect
behavioral2/memory/2936-13-0x00000000027E0000-0x00000000027FD000-memory.dmp	acprotect
behavioral2/memory/2936-15-0x00000000027E0000-0x00000000027FD000-memory.dmp	acprotect
behavioral2/memory/2936-14-0x00000000027E0000-0x00000000027FD000-memory.dmp	acprotect
behavioral2/memory/2936-12-0x00000000027E0000-0x00000000027FD000-memory.dmp	acprotect
behavioral2/memory/5024-22-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect
behavioral2/memory/5024-26-0x0000000002C30000-0x0000000002C4D000-memory.dmp	acprotect
behavioral2/memory/5024-30-0x0000000002C30000-0x0000000002C4D000-memory.dmp	acprotect
behavioral2/memory/5024-31-0x0000000002C30000-0x0000000002C4D000-memory.dmp	acprotect
behavioral2/memory/5024-29-0x0000000002C30000-0x0000000002C4D000-memory.dmp	acprotect
behavioral2/memory/5024-28-0x0000000002C30000-0x0000000002C4D000-memory.dmp	acprotect
behavioral2/memory/5024-25-0x0000000002C30000-0x0000000002C4D000-memory.dmp	acprotect
behavioral2/memory/2936-42-0x0000000010000000-0x000000001001C000-memory.dmp	acprotect

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scsimon.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe
File created	C:\Windows\SysWOW64\Miscson.dll	rundll32.exe
File created	C:\Windows\SysWOW64\scsimon.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Miscson.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\scsimon.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Miscson.dll	svchost.exe
File created	C:\Windows\SysWOW64\Miscson.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\scsimon.dll	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 5024	2936	rundll32.exe	88

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File opened for modification	C:\Windows\AppPatch\AcSvcst.dll	rundll32.exe
File created	C:\Windows\AppPatch\AcSvcst.dll	rundll32.exe
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3528	2936	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	Spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Spoolsv.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	Spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	Spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	Spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	Spoolsv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	rundll32.exe
Token: SeDebugPrivilege	5024	svchost.exe
Token: SeDebugPrivilege	2936	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2936	564	rundll32.exe	85
PID 564 wrote to memory of 2936	564	rundll32.exe	85
PID 564 wrote to memory of 2936	564	rundll32.exe	85
PID 2936 wrote to memory of 5024	2936	rundll32.exe	88
PID 2936 wrote to memory of 5024	2936	rundll32.exe	88
PID 2936 wrote to memory of 5024	2936	rundll32.exe	88
PID 2936 wrote to memory of 5024	2936	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47fd4fcbad0d377d2a4be0e17c4f58ec3de3ccb71b7c1107070c3b14ced7d7b9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\47fd4fcbad0d377d2a4be0e17c4f58ec3de3ccb71b7c1107070c3b14ced7d7b9.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe -k rundll32
    3⤵
    - Boot or Logon Autostart Execution: Port Monitors
    - Sets service image path in registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 624
    3⤵
    - Program crash
    PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2936 -ip 2936
1⤵
PID:624

C:\Windows\system32\Spoolsv.exe
Spoolsv.exe
1⤵
PID:4312

C:\Windows\system32\Spoolsv.exe
Spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Port Monitors

1

T1547.010

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Port Monitors

1

T1547.010

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AppPatch\ComBack.Dll

Filesize
137KB

MD5
e75eeddd5d3078710a3606fcc45bcdd8

SHA1
d0a0707ad8f2fbc92abf54a34f136f67cfc2236f

SHA256
6d0872ed755d0e855f27b2e672302d03c309cda6eaef10357970cc8b2c14d95c

SHA512
b94b38244ebf414772ce6268754fbebaa58f3b8f700edeae717e31979d215eb6e185311e9416d25d6b8d0ccd73c4412db304f9e8262ac58536cfe67f69252063

Download Submit
C:\Windows\SysWOW64\Miscson.dll

Filesize
137KB

MD5
d16190e8feed88b04e5ded46a3ead5aa

SHA1
5785849934b8af8cc85ffac6833af428afe1fd90

SHA256
6c79a8e77fd110e2aad643e39f32a91e8db2f4924b47dcdb9247df78895d2bc0

SHA512
d580c9232f5eec3c9d3df0eb1315f8b62ddce61e2f441585e39c6d1609b1740b6b0555923ea448a71ea3ba136f77a9227f52cf68266810e8ff91f4671f26c292

Download Submit
C:\Windows\SysWOW64\com\comb.dll

Filesize
128B

MD5
b47bfb47c690d2981e2c99b14f55ea71

SHA1
3f95da51b7c6f7b2fcdaa60231d3ab4ce4cabf6c

SHA256
9a2cdf8739c0ec98a1e5ada556a23ce88827e5f7dca55622f7c5798f6bedde26

SHA512
07ecc26c554ff7b3fe19eadb9228535d285e46c4324a1b2ca5e91dac44a08567c40d94b7eb68714f533720106bf95f5e0d7ef96b1b22bd0262c0945ebc455626

Download Submit
C:\Windows\SysWOW64\com\comb.dll

Filesize
247B

MD5
6d1fbe9dab84d504cb47697c15c1a7aa

SHA1
3912f63954e30d9031f843af01ca791b1404aa09

SHA256
301b47d6b09a86103748430e7ff5415dc55204f739d9f2ffda19899fcd336384

SHA512
c8af9e35c09ff2bf7df02bc0faacbb0a639d115aaddc9f9a9272e7e7bc7bc1954ae4b7eae1d4017e8dac3d84830a883224b9360b1fd4613de29bf030908591fd

Download Submit
C:\Windows\SysWOW64\com\comb.dll

Filesize
326B

MD5
3c13c3390966a6bfdfb2439c0be7647d

SHA1
adce8de859bdab3d672aeeee46f5ec83a8a07cd4

SHA256
4123708a026b8ed3e84432940592eeefc309a8ea426bdcd9ffd9d65e2fbd8639

SHA512
f747ba64e9bd77434a2c07b1f60002c7b7bac7ddaaf3c86c03d56c99262549a3b725c49eebd1df4c33594db3a683c156edafe0ce9f7788e4deb5fdce53df8975

Download Submit
C:\Windows\SysWOW64\scsimon.dll

Filesize
137KB

MD5
bdb59c31e834656c7a4df8a45f110b5b

SHA1
0890e51e62a4def6ba64dd25ce5b46aaa3997a23

SHA256
cf8156bf16389da47b8c1f38c06b973b040a2767e255e6b7d4ee64960663f832

SHA512
c286c772c452fe682f38799c73587d2dbad50e8f02e519f83d0bfcccb990112f348f7749060c7480b14f49861c2121d581031bc51c6a352dbafa076cf5ce1377

Download Submit
memory/2936-13-0x00000000027E0000-0x00000000027FD000-memory.dmp

Filesize
116KB

Download
memory/2936-6-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2936-15-0x00000000027E0000-0x00000000027FD000-memory.dmp

Filesize
116KB

Download
memory/2936-14-0x00000000027E0000-0x00000000027FD000-memory.dmp

Filesize
116KB

Download
memory/2936-12-0x00000000027E0000-0x00000000027FD000-memory.dmp

Filesize
116KB

Download
memory/2936-10-0x00000000027E0000-0x00000000027FD000-memory.dmp

Filesize
116KB

Download
memory/2936-7-0x00000000027E0000-0x00000000027FD000-memory.dmp

Filesize
116KB

Download
memory/2936-5-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2936-44-0x0000000043E50000-0x0000000043E77000-memory.dmp

Filesize
156KB

Download
memory/2936-42-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5024-16-0x0000000000E00000-0x0000000000E27000-memory.dmp

Filesize
156KB

Download
memory/5024-29-0x0000000002C30000-0x0000000002C4D000-memory.dmp

Filesize
116KB

Download
memory/5024-28-0x0000000002C30000-0x0000000002C4D000-memory.dmp

Filesize
116KB

Download
memory/5024-25-0x0000000002C30000-0x0000000002C4D000-memory.dmp

Filesize
116KB

Download
memory/5024-31-0x0000000002C30000-0x0000000002C4D000-memory.dmp

Filesize
116KB

Download
memory/5024-30-0x0000000002C30000-0x0000000002C4D000-memory.dmp

Filesize
116KB

Download
memory/5024-26-0x0000000002C30000-0x0000000002C4D000-memory.dmp

Filesize
116KB

Download
memory/5024-45-0x0000000000E00000-0x0000000000E27000-memory.dmp

Filesize
156KB

Download
memory/5024-22-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5024-18-0x0000000000E00000-0x0000000000E27000-memory.dmp

Filesize
156KB

Download
memory/5024-17-0x0000000000620000-0x0000000000643000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads