ramnit | 89eba99bd3642c09ee9489d3c66c00ce06683c08d70280d75a056deb0ffb4646

Analysis

max time kernel
120s
max time network
91s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89eba99bd3642c09ee9489d3c66c00ce06683c08d70280d75a056deb0ffb4646.dll
Size

524KB
MD5

009061e7e9f67123829b843bd9986938
SHA1

46b6f2b0658a2c781d85b9c81f88713ed750c761
SHA256

89eba99bd3642c09ee9489d3c66c00ce06683c08d70280d75a056deb0ffb4646
SHA512

1dc589a8acf20f43532ac48693debd7d8ea999197e75c842446ad20356b9e2cbea12367c326602122acb308d84934d7c6d402a50607292e44b3c2f3c5cd0b481
SSDEEP

12288:2hpUrEIZJqr1AkBWwNa5R0EYl795/amaX3QXaPKUjtBE:2/jG01NHXaPVBE

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2668	rundll32mgr.exe
2692	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	rundll32.exe
2180	rundll32.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-25-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-60-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-264-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-637-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpenc.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kcms.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdarem.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\InkSeg.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcor.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5F9D.tmp	rundll32mgr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2180	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe
1772	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	WaterMark.exe
Token: SeDebugPrivilege	1772	svchost.exe
Token: SeDebugPrivilege	2748	WerFault.exe
Token: SeDebugPrivilege	2692	WaterMark.exe
Token: SeDebugPrivilege	2180	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2144 wrote to memory of 2180	2144	rundll32.exe	30
PID 2180 wrote to memory of 2668	2180	rundll32.exe	31
PID 2180 wrote to memory of 2668	2180	rundll32.exe	31
PID 2180 wrote to memory of 2668	2180	rundll32.exe	31
PID 2180 wrote to memory of 2668	2180	rundll32.exe	31
PID 2180 wrote to memory of 2748	2180	rundll32.exe	32
PID 2180 wrote to memory of 2748	2180	rundll32.exe	32
PID 2180 wrote to memory of 2748	2180	rundll32.exe	32
PID 2180 wrote to memory of 2748	2180	rundll32.exe	32
PID 2668 wrote to memory of 2692	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2692	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2692	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2692	2668	rundll32mgr.exe	33
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 2760	2692	WaterMark.exe	34
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 2692 wrote to memory of 1772	2692	WaterMark.exe	35
PID 1772 wrote to memory of 256	1772	svchost.exe	1
PID 1772 wrote to memory of 256	1772	svchost.exe	1
PID 1772 wrote to memory of 256	1772	svchost.exe	1
PID 1772 wrote to memory of 256	1772	svchost.exe	1
PID 1772 wrote to memory of 256	1772	svchost.exe	1
PID 1772 wrote to memory of 332	1772	svchost.exe	2
PID 1772 wrote to memory of 332	1772	svchost.exe	2
PID 1772 wrote to memory of 332	1772	svchost.exe	2
PID 1772 wrote to memory of 332	1772	svchost.exe	2
PID 1772 wrote to memory of 332	1772	svchost.exe	2
PID 1772 wrote to memory of 384	1772	svchost.exe	3
PID 1772 wrote to memory of 384	1772	svchost.exe	3
PID 1772 wrote to memory of 384	1772	svchost.exe	3
PID 1772 wrote to memory of 384	1772	svchost.exe	3
PID 1772 wrote to memory of 384	1772	svchost.exe	3
PID 1772 wrote to memory of 392	1772	svchost.exe	4
PID 1772 wrote to memory of 392	1772	svchost.exe	4
PID 1772 wrote to memory of 392	1772	svchost.exe	4
PID 1772 wrote to memory of 392	1772	svchost.exe	4
PID 1772 wrote to memory of 392	1772	svchost.exe	4
PID 1772 wrote to memory of 432	1772	svchost.exe	5
PID 1772 wrote to memory of 432	1772	svchost.exe	5
PID 1772 wrote to memory of 432	1772	svchost.exe	5
PID 1772 wrote to memory of 432	1772	svchost.exe	5
PID 1772 wrote to memory of 432	1772	svchost.exe	5

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1384
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1496
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:236
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:272
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1028
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1108
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1052
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:496
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1976
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\89eba99bd3642c09ee9489d3c66c00ce06683c08d70280d75a056deb0ffb4646.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\89eba99bd3642c09ee9489d3c66c00ce06683c08d70280d75a056deb0ffb4646.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2760
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 232
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
144KB

MD5
344aff1e10b0abf66ee1f0b363152494

SHA1
895a3ea13042628aab5474bd4afe82304942c6bd

SHA256
9081fb8cfeb9238b946669543bbb08c4ae760b53e01b60da012ae5726cfac0ba

SHA512
fe499f4d4a5cd4bc0ca6cae916c3df37a96cedfa46c7597228467d01c47767b28d33d6c0939d46f989e41c4a23c5947b3823d4e45978a5420369106259eac70d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
140KB

MD5
a8a61c0fa5d4c82bf957f5242630bd78

SHA1
0274c5ce3559d98012d61de7f95ab7cd5ca5a071

SHA256
8c11ab9d21713c1022f9e3a7b6bf1b9c27abb9caa832485789e784cea4adb347

SHA512
77be39c76838f2610d93140b873c19bb7facd8844b1adb0bd384e10933ba7260aceaa08e30c62da56d5d5dba273c607cd815de428dbf30c5c8598a0134f929da

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
memory/1772-68-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1772-69-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1772-54-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1772-65-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1772-70-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1772-281-0x0000000077B80000-0x0000000077B81000-memory.dmp

Filesize
4KB

Download
memory/1772-61-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1772-66-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1772-67-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2180-0-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/2180-382-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/2180-2-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/2180-1-0x0000000010000000-0x0000000010084000-memory.dmp

Filesize
528KB

Download
memory/2668-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-51-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2692-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-52-0x0000000077B7F000-0x0000000077B80000-memory.dmp

Filesize
4KB

Download
memory/2692-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2692-637-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-633-0x0000000077B7F000-0x0000000077B80000-memory.dmp

Filesize
4KB

Download
memory/2692-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-264-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2760-47-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2760-27-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2760-34-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2760-29-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2760-33-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2760-379-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2760-35-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2760-48-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2760-39-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2760-42-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2760-40-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download