ramnit | e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529

General

Target

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Size

252KB
MD5

43bd08991f7824b978d998ab7a9b0600
SHA1

5e1ae02400e5854c87781a3547e143d31d85312c
SHA256

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529
SHA512

cd353c7f7104b6dc58a75c4c0a52b049fcc61ccdf6eba923d6f3539584c8ea7f2905bda01cc344f0d9dc579932ae317cef9e0699f1c0614c74dd6a2e54c68d80
SSDEEP

3072:mR2xn3k0CdM1vabyzJYWqaH87onClrA42s8Y/DH8CBDKQ4soITntOOzs1lEaX:mR2J0LS6VdAClrA42ZYrN2Q4ctOOojEM

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeWaterMark.exe

pid process

1732 e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
940 WaterMark.exe

pid	process
1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
940	WaterMark.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-64-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/940-78-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/940-198-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe

pid	process
856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 10 IoCs

Processes:

svchost.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEF0.tmp	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1748 856 WerFault.exe e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

pid	pid_target	process	target process
1748	856	WerFault.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
940	WaterMark.exe
940	WaterMark.exe
940	WaterMark.exe
940	WaterMark.exe
940	WaterMark.exe
940	WaterMark.exe
940	WaterMark.exe
940	WaterMark.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe
1120	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WaterMark.exesvchost.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	940	WaterMark.exe
Token: SeDebugPrivilege	1120	svchost.exe
Token: SeDebugPrivilege	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
Token: SeDebugPrivilege	1748	WerFault.exe
Token: SeDebugPrivilege	940	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exee32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 856 wrote to memory of 1732	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 856 wrote to memory of 1732	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 856 wrote to memory of 1732	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 856 wrote to memory of 1732	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
PID 1732 wrote to memory of 940	1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 1732 wrote to memory of 940	1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 1732 wrote to memory of 940	1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 1732 wrote to memory of 940	1732	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe	WaterMark.exe
PID 856 wrote to memory of 1748	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WerFault.exe
PID 856 wrote to memory of 1748	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WerFault.exe
PID 856 wrote to memory of 1748	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WerFault.exe
PID 856 wrote to memory of 1748	856	e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe	WerFault.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 2044	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 940 wrote to memory of 1120	940	WaterMark.exe	svchost.exe
PID 1120 wrote to memory of 260	1120	svchost.exe	smss.exe
PID 1120 wrote to memory of 260	1120	svchost.exe	smss.exe
PID 1120 wrote to memory of 260	1120	svchost.exe	smss.exe
PID 1120 wrote to memory of 260	1120	svchost.exe	smss.exe
PID 1120 wrote to memory of 260	1120	svchost.exe	smss.exe
PID 1120 wrote to memory of 336	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 336	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 336	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 336	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 336	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 372	1120	svchost.exe	wininit.exe
PID 1120 wrote to memory of 372	1120	svchost.exe	wininit.exe
PID 1120 wrote to memory of 372	1120	svchost.exe	wininit.exe
PID 1120 wrote to memory of 372	1120	svchost.exe	wininit.exe
PID 1120 wrote to memory of 372	1120	svchost.exe	wininit.exe
PID 1120 wrote to memory of 384	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 384	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 384	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 384	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 384	1120	svchost.exe	csrss.exe
PID 1120 wrote to memory of 420	1120	svchost.exe	winlogon.exe
PID 1120 wrote to memory of 420	1120	svchost.exe	winlogon.exe
PID 1120 wrote to memory of 420	1120	svchost.exe	winlogon.exe
PID 1120 wrote to memory of 420	1120	svchost.exe	winlogon.exe
PID 1120 wrote to memory of 420	1120	svchost.exe	winlogon.exe
PID 1120 wrote to memory of 464	1120	svchost.exe	services.exe
PID 1120 wrote to memory of 464	1120	svchost.exe	services.exe
PID 1120 wrote to memory of 464	1120	svchost.exe	services.exe
PID 1120 wrote to memory of 464	1120	svchost.exe	services.exe
PID 1120 wrote to memory of 464	1120	svchost.exe	services.exe
PID 1120 wrote to memory of 480	1120	svchost.exe	lsass.exe
PID 1120 wrote to memory of 480	1120	svchost.exe	lsass.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:832

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1680

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1028

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe
"C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 152
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1748

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
\Users\Admin\AppData\Local\Temp\e32ab7cabe965e4c4228c3ecb9a67dff169295bddb56d34789a34f7bdf8e4529mgr.exe
Filesize
65KB

MD5
849ef19ec0155d79d4fa5bfb5657b106

SHA1
eb7e7ff208ecb40d35755d8f36e31e2482166299

SHA256
8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

SHA512
30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

Download Submit
memory/856-136-0x0000000020020000-0x000000002002B000-memory.dmp

Filesize
44KB

Download
memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/856-77-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/940-62-0x0000000000000000-mapping.dmp

Download
memory/940-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/940-198-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1120-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1120-83-0x0000000000000000-mapping.dmp

Download
memory/1120-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1732-66-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/1732-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/2044-79-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-73-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-71-0x0000000000000000-mapping.dmp

Download
memory/2044-69-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2044-199-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads