ramnit | 24de4d60a3c47cb3b323292fb832571992a2bee924031cd89432c5deee8342c1

General

Target

fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe
Size

100KB
MD5

fa932569d765ca8acd7ae5e7ca1ae67e
SHA1

781889fcc52b7bdaf6eb2a9943d46e0793c2a807
SHA256

24de4d60a3c47cb3b323292fb832571992a2bee924031cd89432c5deee8342c1
SHA512

47b29459323356b1bdb72bb93bc4a4699b2f915afd6489f74b72efcb43cfc2b3e3e012fb60c4c78e7a162b1cd7fdcef6cf3955a4db4aecf07f59ee8e7f89f8a7
SSDEEP

3072:AVUAXECKcXd00AoBeiyro9Lu7MKGVk8jwaaHw7Koj4rDMUeRF:eZNKo00iiyrsIMKjeF

Score

10^/10

ramnit banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

auvbhafccefejqvu.exe

pid process

936 auvbhafccefejqvu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2768 3640 WerFault.exe svchost.exe
2744 5044 WerFault.exe svchost.exe

pid	process
936	auvbhafccefejqvu.exe

pid	pid_target	process	target process
2768	3640	WerFault.exe	svchost.exe
2744	5044	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101548"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101548"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101548"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101548"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420304523"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3B9608A4-FE5F-11EE-B9F7-CE945492B8DF} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "292000875"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "272001239"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "272001239"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "468720068"	IEXPLORE.EXE

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exeauvbhafccefejqvu.exe

description	pid	process
Token: SeSecurityPrivilege	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe
Token: SeDebugPrivilege	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe
Token: SeSecurityPrivilege	936	auvbhafccefejqvu.exe
Token: SeLoadDriverPrivilege	936	auvbhafccefejqvu.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

IEXPLORE.EXE

pid process

4444 IEXPLORE.EXE
4444 IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
4444	IEXPLORE.EXE
4444	IEXPLORE.EXE
4912	IEXPLORE.EXE
4912	IEXPLORE.EXE
4912	IEXPLORE.EXE
4912	IEXPLORE.EXE
4444	IEXPLORE.EXE
4444	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEiexplore.exe

description	pid	process	target process
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 3640	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 4952	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	iexplore.exe
PID 956 wrote to memory of 4952	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	iexplore.exe
PID 956 wrote to memory of 4952	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	iexplore.exe
PID 4952 wrote to memory of 4444	4952	iexplore.exe	IEXPLORE.EXE
PID 4952 wrote to memory of 4444	4952	iexplore.exe	IEXPLORE.EXE
PID 4444 wrote to memory of 4912	4444	IEXPLORE.EXE	IEXPLORE.EXE
PID 4444 wrote to memory of 4912	4444	IEXPLORE.EXE	IEXPLORE.EXE
PID 4444 wrote to memory of 4912	4444	IEXPLORE.EXE	IEXPLORE.EXE
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 5044	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	svchost.exe
PID 956 wrote to memory of 4664	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	iexplore.exe
PID 956 wrote to memory of 4664	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	iexplore.exe
PID 956 wrote to memory of 4664	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	iexplore.exe
PID 4664 wrote to memory of 4336	4664	iexplore.exe	IEXPLORE.EXE
PID 4664 wrote to memory of 4336	4664	iexplore.exe	IEXPLORE.EXE
PID 4444 wrote to memory of 2876	4444	IEXPLORE.EXE	IEXPLORE.EXE
PID 4444 wrote to memory of 2876	4444	IEXPLORE.EXE	IEXPLORE.EXE
PID 4444 wrote to memory of 2876	4444	IEXPLORE.EXE	IEXPLORE.EXE
PID 956 wrote to memory of 936	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	auvbhafccefejqvu.exe
PID 956 wrote to memory of 936	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	auvbhafccefejqvu.exe
PID 956 wrote to memory of 936	956	fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe	auvbhafccefejqvu.exe

C:\Users\Admin\AppData\Local\Temp\fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa932569d765ca8acd7ae5e7ca1ae67e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 204
3⤵
- Program crash
PID:2768

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17416 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 212
3⤵
- Program crash
PID:2744

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
3⤵
- Modifies Internet Explorer settings
PID:4336

C:\Users\Admin\AppData\Local\Temp\auvbhafccefejqvu.exe
"C:\Users\Admin\AppData\Local\Temp\auvbhafccefejqvu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3640 -ip 3640
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5044 -ip 5044
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
4e981d0b7c38bdc36065b0244ef73c15

SHA1
c9ec66cc6b2049c4801d9256cdf50bfa772227e8

SHA256
ffde49ad889e401f6b4e5df21406b6bdee53635137333c4947f990013472d3e4

SHA512
a77173d5b6759bf062a1a0766f7de0456958435b671ed4ca8dad2cc434b2a707d1cf0c3a6038886f7f5bbed030efff46028c7bd0b478f09a47283589b2851a30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
c606ca4c3990a34ba3aba0179e27e25f

SHA1
53137d12ee0c25c3e6320434950ea7f998c0016d

SHA256
da1a66ca978d9e23ef46f4cd4093eee79a681b611332a2cecdd1d3b2f82e0146

SHA512
8768bda2738c2fec3ca3c52297a7c128925046b6cedb717cd1f2846b630d8947f516480957c7364dc82efcb87f40798012e4b88ec395e6f6db3abde406a40dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\auvbhafccefejqvu.exe
Filesize
100KB

MD5
fa932569d765ca8acd7ae5e7ca1ae67e

SHA1
781889fcc52b7bdaf6eb2a9943d46e0793c2a807

SHA256
24de4d60a3c47cb3b323292fb832571992a2bee924031cd89432c5deee8342c1

SHA512
47b29459323356b1bdb72bb93bc4a4699b2f915afd6489f74b72efcb43cfc2b3e3e012fb60c4c78e7a162b1cd7fdcef6cf3955a4db4aecf07f59ee8e7f89f8a7

Download Submit
memory/936-46-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/936-43-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/936-42-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/956-12-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/956-7-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/956-1-0x0000000000432000-0x000000000043B000-memory.dmp

Filesize
36KB

Download
memory/956-0-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/956-17-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/956-19-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/956-8-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/956-2-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/956-29-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/956-6-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/956-4-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/956-3-0x0000000000400000-0x000000000043A6BC-memory.dmp

Filesize
233KB

Download
memory/3640-11-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3640-10-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads