ramnit | 377031a94559fef772cda1593232a3b2c7fa6ac7ec57dc44a37cacef3cfa2c06

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 21:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Size

1.9MB
MD5

11440d40b4dcfc3cf8383f9097433bb8
SHA1

f0f69363ebceee5c5945f44867ab7feb7ea2f57b
SHA256

377031a94559fef772cda1593232a3b2c7fa6ac7ec57dc44a37cacef3cfa2c06
SHA512

36c10cdcd318638aab437a4bdd9e3088d5194dea1359786a960f1d595727f734349104c02cd5fab5258d95591a990ef9e1ec113958e1c81f27eff020b1f1feeb
SSDEEP

24576:87ZGy9+Acpjdv+K3eqA6dj6YU1s20UPxXMP2Wk4AX:+/Sp5AyAXtWk1

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Rockey4.sys	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File created	C:\Windows\SysWOW64\drivers\Rockey4USB.sys	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E817A545D4EA57DC0674E4DF10489CDC055BDBC\Blob = 0300000001000000140000005e817a545d4ea57dc0674e4df10489cdc055bdbc040000000100000010000000dfe2df6da86d621ea59420e7254f41f019000000010000001000000024ff13c7090a51aa0043231473a8b16f140000000100000014000000604cd9d7712845eb7bcf699134f013bfad4971e40f0000000100000014000000aa9ff6979bf3e3d4d898267e9d2a449748f731c52000000001000000840500003082058030820468a00302010202107410e66950047fb99a072d507e990d73300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3133303332353030303030305a170d3134303632343233353935395a3081c3310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731273025060355040a141e4665697469616e20546563686e6f6c6f6769657320436f2e2c204c74642e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312730250603550403141e4665697469616e20546563686e6f6c6f6769657320436f2e2c204c74642e30820122300d06092a864886f70d01010105000382010f003082010a02820101008b24a9235419cc23c769130de5d8d6dff1f5111ea0c6ad1cf6e89b3fa66ca26f36d71e95bf53a33c21bcbb2eb93f3d045cc45f505ae58ae7c0eb3e99972990fa6e8e90068555d052185b8fa140ebd154f44d7c92d6bb77737e60a8f486154337dc9f6869a8707355306ddf45cd8077d2ec1d489327850ec9ca9744cfa27e8c6c31f722dbaf835ebda593ad94e027e892dc88e0e96fa409af952457278a475496175ed43b405df6338d5512e5636174b96f8af61f8bf4744d98e8079a8fd503c92c67d5e398503891a5a30af4647c2399a79ac6570000a298ca7d9ea62918b24ab7f751b5bcf5513a66b05ad179bbb026d31813d2b47ad0d6b6febf2006db3f110203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100bcb1d8e3538bc8d64526ed2c191fecb0f310db585de6f0d93b4f47085c41b71b4da3bc7687027aad0c5b4f19ae70348dc4d846ba9cda5dd1dea62ea530e31446f215a8658893590c40311ea78ade96e06940677f3682d9481184aee839c5695c4ea2e5c178d449f14392364ac431de64a2e5df71741df1ca4cc7bbf3024a7121cb18008c5d1c79c6b1611fb336463f683ab9b6e3e5b747def34897e59c484263e77b4f0a9d36654b20aabefefbdd7784789656cf0d9d7a3fde2072bdfde43af1240ff369841ca58fb591a9f9773c547bff724c643f581f4e63002e743efd100fff2339a4392bbf1c9f5135923f24104e76292d2a5f99c9afa3f30de1f5a40227	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
1824	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
2780	DesktopLayer.exe

Loads dropped DLL 1 IoCs

pid	Process
4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InstDll.dll	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Rockey4.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB7F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\Ry4CoInst.dll	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB6E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB7E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB7E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Ry4CoInst.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Ry4CoInst.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB6C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB6C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Rockey4.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB6D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB6D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Rockey4.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB7F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\SETDB6E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Rockey4USB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4USB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}	DrvInst.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023f5c-3.dat	upx
behavioral2/memory/1824-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1824-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2780-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2780-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px7762.tmp	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1F9DFCFF-0764-11F0-A824-C6CB468AE5AC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449443680"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	556	svchost.exe
Token: SeSecurityPrivilege	556	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4036	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
4036	iexplore.exe
4036	iexplore.exe
6136	IEXPLORE.EXE
6136	IEXPLORE.EXE
6136	IEXPLORE.EXE
6136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1824	4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe	86
PID 4560 wrote to memory of 1824	4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe	86
PID 4560 wrote to memory of 1824	4560	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe	86
PID 1824 wrote to memory of 2780	1824	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe	87
PID 1824 wrote to memory of 2780	1824	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe	87
PID 1824 wrote to memory of 2780	1824	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe	87
PID 2780 wrote to memory of 4036	2780	DesktopLayer.exe	88
PID 2780 wrote to memory of 4036	2780	DesktopLayer.exe	88
PID 4036 wrote to memory of 6136	4036	iexplore.exe	89
PID 4036 wrote to memory of 6136	4036	iexplore.exe	89
PID 4036 wrote to memory of 6136	4036	iexplore.exe	89
PID 556 wrote to memory of 4196	556	svchost.exe	101
PID 556 wrote to memory of 4196	556	svchost.exe	101
PID 4196 wrote to memory of 3976	4196	DrvInst.exe	102
PID 4196 wrote to memory of 3976	4196	DrvInst.exe	102

C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4036 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:6136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{afd81f39-58a1-8944-9c51-93f4fe540475}\Rockey4.inf" "9" "4281a14cb" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "C:\Windows\Temp"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{09a5c292-fb34-a944-9d63-dc7bf386e2d3} Global\{7f4d8fa2-c9d6-174d-a381-69eb0ee760d4} C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Rockey4.inf C:\Windows\System32\DriverStore\Temp\{18df2e29-3d87-4143-8343-c423c7251659}\Rockey4.cat
    3⤵
    PID:3976

Network

DNS

api.bing.com

iexplore.exe

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=093F2725204963F839EF329221F26219; domain=.bing.com; expires=Thu, 16-Apr-2026 21:25:10 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F6F8A2F76B6842498EC2BD32F43797B7 Ref B: LON04EDGE0809 Ref C: 2025-03-22T21:25:10Z
date: Sat, 22 Mar 2025 21:25:09 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=093F2725204963F839EF329221F26219

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=djaCAIKrkkoSkmOkBRAgc5nD7B8TzLzpkLwlIg7IXBg; domain=.bing.com; expires=Thu, 16-Apr-2026 21:25:10 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4AE799D24F82436FAA5E8B7E812B5B72 Ref B: LON04EDGE0809 Ref C: 2025-03-22T21:25:10Z
date: Sat, 22 Mar 2025 21:25:09 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=093F2725204963F839EF329221F26219; MSPTC=djaCAIKrkkoSkmOkBRAgc5nD7B8TzLzpkLwlIg7IXBg

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FD3ECD8A9D68487A8B330EEBA5EB6ABD Ref B: LON04EDGE0809 Ref C: 2025-03-22T21:25:10Z
date: Sat, 22 Mar 2025 21:25:09 GMT
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 721420
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D5CBA8B645644632A837033BC4841984 Ref B: LON04EDGE0609 Ref C: 2025-03-22T21:25:45Z
date: Sat, 22 Mar 2025 21:25:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 818456
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 361FA17551D64C8E9EE74CE87FC387F7 Ref B: LON04EDGE0609 Ref C: 2025-03-22T21:25:45Z
date: Sat, 22 Mar 2025 21:25:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 507475
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 442E33C619454451B6ACCC4357BC7A48 Ref B: LON04EDGE0609 Ref C: 2025-03-22T21:25:45Z
date: Sat, 22 Mar 2025 21:25:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 737279
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A2653DF47024450CA51E5B39B03ADC6E Ref B: LON04EDGE0609 Ref C: 2025-03-22T21:25:45Z
date: Sat, 22 Mar 2025 21:25:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360264545_1QMDV0ZFDT4MYHVM6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360264545_1QMDV0ZFDT4MYHVM6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 845518
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 077C67C46B5B444BAB4BA5DC07844DF5 Ref B: LON04EDGE0609 Ref C: 2025-03-22T21:25:45Z
date: Sat, 22 Mar 2025 21:25:44 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 675736
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 647DEC86C8A448A494A14A8586BFDA75 Ref B: LON04EDGE0609 Ref C: 2025-03-22T21:25:46Z
date: Sat, 22 Mar 2025 21:25:46 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Sat, 22 Mar 2025 21:22:22 GMT
Expires: Sat, 22 Mar 2025 22:12:22 GMT
Age: 256
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f29578ad7de8418da4a2d1dff241a83c&localId=w:06EA7CA6-BA87-3CF1-1EE1-03E628C99C60&deviceId=6966580997104353&anid=

HTTP Response

204
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

154.1kB
4.5MB
3252
3248

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388234_1IFMMONGOM3EIAZ4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359734404_1RBLA5UG5KRWGU20H&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388235_1XAV95DEOU0F3NPNY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359734403_1QUIFQSNPPFE4TECL&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360264545_1QMDV0ZFDT4MYHVM6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360264546_1VIJ7TSH89LPKUMDM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.4kB
6.9kB
16
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
16
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
16
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
16
13
204.79.197.200:443

ieonline.microsoft.com

tls, http2

iexplore.exe

1.2kB
8.2kB
15
12
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

384 B
354 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

api.bing.com

dns

iexplore.exe

58 B
134 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.5.80
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
01fa3211165ca3e0dbd816e5389630bf

SHA1
2a6569707c8ea29cbf996a906855470bb7831f48

SHA256
ab165a9a5b25e6c05f6f2eac77c9dcc9b4157897524a0be4415cdae9cef5636f

SHA512
1848c476ebf00781299715f7c664465a071fa54e3bc14002df35a74aa27667788956bddc4b96b241ea2865f819cf5e33ed7907504a99342c2a0379a0964550ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
f572ef4487b0fbfe1b8765f6cddb8cac

SHA1
a649e7ab416988889f95817ce199f0257a54281d

SHA256
efaf6bb4ada8ff2afa7d8aef4ab6994884e5e087e9eb505d132b3cbde272875d

SHA512
083ddad2feec09e6992ba8f0fe3261ef1309d6c48b2bfe0d9d1686a18b09af6d981bdfc5bef713f14b9fb8d82d8ebb2d042c6a6ffed7a00ffe123a857edd5a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84O89Q0W\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\InstDll.dll

Filesize
412KB

MD5
28777af4daf84f9ad4145f7105e02477

SHA1
f2100f4812007a253134d4e134e6208a78263a2c

SHA256
7e0f6280add4c6000d6bf548402e849b83047b960ad89be067ae87e4dc103b77

SHA512
543e81509693ed6b75f9dbce536ab15f1bcac5f1fc71646b53ac2bafd2af5859add9acf21b247719e2cf6d2974c3c8552a1fb2f13d3f3be428099fc62e62dcad

Download Submit
C:\Windows\Temp\Rockey4.inf

Filesize
3KB

MD5
3ce2e5aeef01fa93d94868953406856b

SHA1
10d56292d022f39d8ceefded624f8522f5bdccfd

SHA256
8cf87f05e75dd558eac842ea3eeda9cafe675d4c6d1eaa211c403b7de2e599cb

SHA512
ffeb48efa4254d11d398eb6197ec1a8c0ae398d0bd3dd1cd7d3f66fd8f8e252e726b8adcf651c6e2f2bd9a78023151ca2103349bb63f788aef306010f6f983fc

Download Submit
C:\Windows\Temp\Rockey4.sys

Filesize
29KB

MD5
6b9b088f4921b5114f7916a1cfa90f51

SHA1
be3d21cf1a9eae23ff0464f2ee19d60891ba8777

SHA256
a3fbfe4c4c5195524107d1127e8165d53319f306e07647022a6557750f0b2c29

SHA512
961c9e56bb62098989d55a951da4b05db56d15ca26ca85f9413139f24ae3624056c33d16d711819f1cac97469fa456578fedcd30dde773d87523a29cb337a98d

Download Submit
C:\Windows\Temp\Rockey4USB.sys

Filesize
20KB

MD5
a215e31da7fc0369e315132303582b5b

SHA1
3dbb87e75c01ad93845a6c90602bdcd49f5e1882

SHA256
a55c1b52240efb612b0771f35797f2aa68b249be7f7da930a0ee5d8212c7f7a7

SHA512
c5d132725c3f41357b517341a28220cf205cba4c49376908b03e8780c6c456db70724f48b3ce89f90edb9e865308a607a41db0571e8e871c503e0ff251ce76a2

Download Submit
C:\Windows\Temp\Ry4CoInst.dll

Filesize
6KB

MD5
5d1e774106c240e330e7384f8bd2835c

SHA1
0e6bfc62067d52540eb84852eb1e160fb646e4d5

SHA256
fab2055534c54c8c8d3df3065a481fb8b2d1bc052c29ac500634ba63f32fea09

SHA512
48c4d2ac25e8e3f128201cc0503de7cdb952ad849fe760c112bf32ff0e9df96da16fa356ab99f64cb45eb3a4314fc3bfdc852e06a1263c4cd681c7b42b9df578

Download Submit
C:\Windows\Temp\rockey4.cat

Filesize
9KB

MD5
f5e17a72ecbe8f0556423e796124f785

SHA1
60b887c365c0541e0aa1518ac687bc3eb7e60a4c

SHA256
d0e390cbe3a1313d0b4348bfdc9da947616fc7dda4ecc414468b5f2151f5b60f

SHA512
4f85087d92b2b6494cb2a1d281c34bb72fa6bd9f31d3369aa9729ba12d320618836f2d25dc92dcec18b1c9cfa0f3977bff809d179a988ddacaf67acfe06ea9c4

Download Submit
memory/1824-7-0x0000000000430000-0x000000000043F000-memory.dmp

Filesize
60KB

Download
memory/1824-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1824-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2780-18-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2780-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2780-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4560-22-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/4560-0-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.