ramnit | 13f3780e31e32b00c1abc4dc3a8d48dc1fac5360c0f35bdc60630924eda3644c

Analysis

max time kernel
120s
max time network
94s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f3780e31e32b00c1abc4dc3a8d48dc1fac5360c0f35bdc60630924eda3644cN.dll
Size

284KB
MD5

7c8f7bde54f1da15c55dc2b7c2f3ce10
SHA1

7292ab49ffe7f7ff9184c42736fcfe5e5b4ad8fd
SHA256

13f3780e31e32b00c1abc4dc3a8d48dc1fac5360c0f35bdc60630924eda3644c
SHA512

1aead191699e676348b9ab3c3914f42bd2364bd2eb07ff831b80a8f1d66da0d579741777c00b54dafeaf9cf34d5b6a2c0c8f70fb1e94f19e78358b6ab7200663
SSDEEP

6144:dMqWfdNAF0/p8O456wg+RFxj3OWmgvWruTyOQMYM:GqWfdNAqpV45a+FxLmb5MYM

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
484	rundll32mgr.exe
2436	rundll32mgrmgr.exe
2664	WaterMark.exe
2944	WaterMark.exe

Loads dropped DLL 8 IoCs

pid	Process
2308	rundll32.exe
2308	rundll32.exe
484	rundll32mgr.exe
484	rundll32mgr.exe
484	rundll32mgr.exe
2436	rundll32mgrmgr.exe
484	rundll32mgr.exe
2436	rundll32mgrmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/484-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2436-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/484-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/484-37-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/484-35-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2436-33-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/484-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/484-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/484-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2664-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2664-64-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2664-151-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\wab32.dll	svchost.exe
File opened for modification	C:\Program Files\DisableDismount.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\JNTFiltr.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libadummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnssci.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2ssv.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2944	WaterMark.exe
2944	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2664	WaterMark.exe
2944	WaterMark.exe
2944	WaterMark.exe
2944	WaterMark.exe
2944	WaterMark.exe
2944	WaterMark.exe
2944	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	rundll32.exe
Token: SeDebugPrivilege	2944	WaterMark.exe
Token: SeDebugPrivilege	2664	WaterMark.exe
Token: SeDebugPrivilege	2980	svchost.exe
Token: SeDebugPrivilege	376	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
484	rundll32mgr.exe
2436	rundll32mgrmgr.exe
2664	WaterMark.exe
2944	WaterMark.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 1672 wrote to memory of 2308	1672	rundll32.exe	31
PID 2308 wrote to memory of 484	2308	rundll32.exe	32
PID 2308 wrote to memory of 484	2308	rundll32.exe	32
PID 2308 wrote to memory of 484	2308	rundll32.exe	32
PID 2308 wrote to memory of 484	2308	rundll32.exe	32
PID 484 wrote to memory of 2436	484	rundll32mgr.exe	33
PID 484 wrote to memory of 2436	484	rundll32mgr.exe	33
PID 484 wrote to memory of 2436	484	rundll32mgr.exe	33
PID 484 wrote to memory of 2436	484	rundll32mgr.exe	33
PID 484 wrote to memory of 2664	484	rundll32mgr.exe	35
PID 484 wrote to memory of 2664	484	rundll32mgr.exe	35
PID 484 wrote to memory of 2664	484	rundll32mgr.exe	35
PID 484 wrote to memory of 2664	484	rundll32mgr.exe	35
PID 2436 wrote to memory of 2944	2436	rundll32mgrmgr.exe	34
PID 2436 wrote to memory of 2944	2436	rundll32mgrmgr.exe	34
PID 2436 wrote to memory of 2944	2436	rundll32mgrmgr.exe	34
PID 2436 wrote to memory of 2944	2436	rundll32mgrmgr.exe	34
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2664 wrote to memory of 2672	2664	WaterMark.exe	37
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2944 wrote to memory of 2640	2944	WaterMark.exe	36
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2664 wrote to memory of 2980	2664	WaterMark.exe	38
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39
PID 2944 wrote to memory of 376	2944	WaterMark.exe	39

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\13f3780e31e32b00c1abc4dc3a8d48dc1fac5360c0f35bdc60630924eda3644cN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\13f3780e31e32b00c1abc4dc3a8d48dc1fac5360c0f35bdc60630924eda3644cN.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
259KB

MD5
5622289a8695414fa195251ff341089d

SHA1
553f536347c3169eb8c3a3b909b1cddb2bd3220a

SHA256
25d1b78b4e819bf3f3862b11b0619743452b00dae6a5d23bee4d43f83d24121f

SHA512
f42ee76ebb474144014fb3c0d34f05cdb4e160257e970e3c675a258b7ebab1d29860b5b7b74d9bf5c4d8b75d92759f34b8a917e381dd1d26f99ee4ecdd39ab97

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
255KB

MD5
6f7e07065f917e275c7fcdf4ab521b63

SHA1
40fce53d7e4f88c9ac26089cc1ca66e2fc021b3f

SHA256
a959871e48d99e28015c2d75b2c11cbc05af7cb666e22ab0978f56f2c9c90375

SHA512
744efc81c1465c2523402702c5541d49688918fcf084d941b99bec93578a050a9eaa6cbce749ca08a7fcc89c4626553b70cff86923dcb5b42b6c9284d3f987e7

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
249KB

MD5
725aad1265430294dabb34fbbdd37b60

SHA1
e6f02781f9dfe58ba653554d45ef027646638d41

SHA256
c305dd145312babc4bd84cb9b1f998f81ed90b527b52666d68add509eca1b5e7

SHA512
7437a4b7b9ea19267d71933ef1fb18565ecc00516dbed0b49a3b3300be824db3509aace52baa96e5d31143d8aff9ec8abb6499c620e5f5fa403f4f2c741ca1e9

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
memory/484-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/484-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/484-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/484-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/484-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/484-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/484-19-0x0000000000340000-0x000000000036B000-memory.dmp

Filesize
172KB

Download
memory/484-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/484-34-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/484-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2308-14-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2308-9-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2308-10-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2308-11-0x00000000001B0000-0x00000000001FB000-memory.dmp

Filesize
300KB

Download
memory/2308-15-0x0000000077730000-0x0000000077731000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2308-16-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2436-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2436-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2664-69-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2664-108-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2664-151-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2664-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2664-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-89-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2672-85-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2672-81-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2672-73-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2672-71-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2944-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2944-68-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download