ramnit | 828599c57d7111892451deedf5b4be8ccd91a505fb60f2402f4a1f1c49e4609b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828599c57d7111892451deedf5b4be8ccd91a505fb60f2402f4a1f1c49e4609b.dll
Size

111KB
MD5

31aa3bc23c2cdb7ef511108cc593ee70
SHA1

29f2a9485edd516665c5dfc811c3e63af56b8b6c
SHA256

828599c57d7111892451deedf5b4be8ccd91a505fb60f2402f4a1f1c49e4609b
SHA512

9ed2ddf1d9b17eba646cc69480b9bb609aeaf9ad0af0a7b122ba4f9a4cab84e45fe9b9c19d9f0a12e37fcdfe3427c75289d4bc1132a2bc2b4031fcf44163d91c
SSDEEP

3072:oySFI8LZyHMpj7iefLFaHEYWv4GES6WM1Q:rv8LZyHGDLUHEYOh1cQ

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
1928	rundll32mgr.exe
952	hrlEA21.tmp
1748	WaterMark.exe
1832	ywkkso.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-70-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1748-91-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1748-155-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1928	rundll32mgr.exe
1928	rundll32mgr.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\ywkkso.exe	hrlEA21.tmp
File opened for modification	C:\Windows\SysWOW64\ywkkso.exe	hrlEA21.tmp
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 980	1832	ywkkso.exe	34

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEA50.tmp	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1748	WaterMark.exe
1748	WaterMark.exe
1748	WaterMark.exe
1748	WaterMark.exe
1748	WaterMark.exe
1748	WaterMark.exe
1748	WaterMark.exe
1748	WaterMark.exe
672	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	WaterMark.exe
Token: SeIncBasePriorityPrivilege	952	hrlEA21.tmp
Token: SeDebugPrivilege	672	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 800 wrote to memory of 1980	800	rundll32.exe	28
PID 1980 wrote to memory of 1928	1980	rundll32.exe	29
PID 1980 wrote to memory of 1928	1980	rundll32.exe	29
PID 1980 wrote to memory of 1928	1980	rundll32.exe	29
PID 1980 wrote to memory of 1928	1980	rundll32.exe	29
PID 1980 wrote to memory of 952	1980	rundll32.exe	30
PID 1980 wrote to memory of 952	1980	rundll32.exe	30
PID 1980 wrote to memory of 952	1980	rundll32.exe	30
PID 1980 wrote to memory of 952	1980	rundll32.exe	30
PID 1928 wrote to memory of 1748	1928	rundll32mgr.exe	31
PID 1928 wrote to memory of 1748	1928	rundll32mgr.exe	31
PID 1928 wrote to memory of 1748	1928	rundll32mgr.exe	31
PID 1928 wrote to memory of 1748	1928	rundll32mgr.exe	31
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1748 wrote to memory of 1348	1748	WaterMark.exe	32
PID 1832 wrote to memory of 980	1832	ywkkso.exe	34
PID 1832 wrote to memory of 980	1832	ywkkso.exe	34
PID 1832 wrote to memory of 980	1832	ywkkso.exe	34
PID 1832 wrote to memory of 980	1832	ywkkso.exe	34
PID 1832 wrote to memory of 980	1832	ywkkso.exe	34
PID 1832 wrote to memory of 980	1832	ywkkso.exe	34
PID 952 wrote to memory of 1756	952	hrlEA21.tmp	35
PID 952 wrote to memory of 1756	952	hrlEA21.tmp	35
PID 952 wrote to memory of 1756	952	hrlEA21.tmp	35
PID 952 wrote to memory of 1756	952	hrlEA21.tmp	35
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 1748 wrote to memory of 672	1748	WaterMark.exe	36
PID 672 wrote to memory of 260	672	svchost.exe	7
PID 672 wrote to memory of 260	672	svchost.exe	7
PID 672 wrote to memory of 260	672	svchost.exe	7
PID 672 wrote to memory of 260	672	svchost.exe	7
PID 672 wrote to memory of 260	672	svchost.exe	7
PID 672 wrote to memory of 332	672	svchost.exe	6
PID 672 wrote to memory of 332	672	svchost.exe	6
PID 672 wrote to memory of 332	672	svchost.exe	6
PID 672 wrote to memory of 332	672	svchost.exe	6
PID 672 wrote to memory of 332	672	svchost.exe	6
PID 672 wrote to memory of 368	672	svchost.exe	5
PID 672 wrote to memory of 368	672	svchost.exe	5
PID 672 wrote to memory of 368	672	svchost.exe	5
PID 672 wrote to memory of 368	672	svchost.exe	5
PID 672 wrote to memory of 368	672	svchost.exe	5

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:792
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1176
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:240
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1656
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1800
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:832
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:740
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:652
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:576
- C:\Windows\SysWOW64\ywkkso.exe
  C:\Windows\SysWOW64\ywkkso.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:980

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\828599c57d7111892451deedf5b4be8ccd91a505fb60f2402f4a1f1c49e4609b.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\828599c57d7111892451deedf5b4be8ccd91a505fb60f2402f4a1f1c49e4609b.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1348
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
  - - C:\Users\Admin\AppData\Local\Temp\hrlEA21.tmp
      C:\Users\Admin\AppData\Local\Temp\hrlEA21.tmp
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\hrlEA21.tmp > nul
        5⤵
        
        PID:1756

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1956

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlEA21.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlEA21.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Windows\SysWOW64\ywkkso.exe

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Windows\SysWOW64\ywkkso.exe

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Users\Admin\AppData\Local\Temp\hrlEA21.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
\Users\Admin\AppData\Local\Temp\hrlEA21.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
memory/672-99-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/672-96-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/980-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/980-83-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1348-75-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1348-156-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1348-86-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1348-92-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1748-155-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1748-91-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1748-93-0x00000000003A0000-0x00000000003C1000-memory.dmp

Filesize
132KB

Download
memory/1928-72-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/1928-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1980-90-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1980-55-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download