floxif | e634d790bcb9cf00820223a6782a171aceea378ffbdf7896d55664c70e9030b2

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/11/2024, 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
Size

386KB
MD5

4a836e3e0b5335f5f5ff95dbc9c0e725
SHA1

8da017453494417c54c25cb361e973f0e0302956
SHA256

e634d790bcb9cf00820223a6782a171aceea378ffbdf7896d55664c70e9030b2
SHA512

af16f038c8ff25d7b2b0a8a6fd5cc90350f0d35585b7fe382c617856e110f9b6ed3a0f27993fb6308eeaf60172615e05cd30df34c7e67162eea72bfaee9d472c
SSDEEP

6144:LGiuvY3oDJfaqaWRzAmJ5N3UMf3VYjnrQ6O6agZCPUgidwvRC4Kmn3:LGiuvY3+fv9NAmZ3UMtYQ69ZNPUnfn3

Score

10^/10

floxif ramnit backdoor banker discovery persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0008000000015d2e-13.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015d2e-13.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe

Loads dropped DLL 16 IoCs

pid	Process
2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2528	msinfo32.exe
2160	IEXPLORE.EXE
2696	IEXPLORE.EXE
2384	Process not Found
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2972	msinfo32.exe
2972	msinfo32.exe
2972	msinfo32.exe
2972	msinfo32.exe
2972	msinfo32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened (read-only)	\??\e:	msinfo32.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012029-9.dat	upx
behavioral1/memory/2512-8-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x0008000000015d2e-13.dat	upx
behavioral1/memory/2528-21-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2548-22-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2548-20-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2548-16-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2548-26-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2548-24-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2548-53-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2548-54-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2548-55-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2528-376-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2528-378-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-390-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-513-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-516-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-519-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-522-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-527-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2972-962-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	msinfo32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	msinfo32.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	msinfo32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	msinfo32.exe
File created	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	msinfo32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieproxy.dll	msinfo32.exe
File created	C:\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp	msinfo32.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7625FF11-A590-11EF-A0C3-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{76239DB1-A590-11EF-A0C3-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438084403"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
2972	msinfo32.exe
2972	msinfo32.exe
2972	msinfo32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
Token: SeDebugPrivilege	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
Token: SeDebugPrivilege	2528	msinfo32.exe
Token: SeDebugPrivilege	2160	IEXPLORE.EXE
Token: SeDebugPrivilege	2696	IEXPLORE.EXE
Token: SeDebugPrivilege	2972	msinfo32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
592	iexplore.exe
2220	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
592	iexplore.exe
592	iexplore.exe
2220	iexplore.exe
2220	iexplore.exe
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2548	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2512 wrote to memory of 2548	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2512 wrote to memory of 2548	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2512 wrote to memory of 2548	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	31
PID 2512 wrote to memory of 2528	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2512 wrote to memory of 2528	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2512 wrote to memory of 2528	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2512 wrote to memory of 2528	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	32
PID 2548 wrote to memory of 2220	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2548 wrote to memory of 2220	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2548 wrote to memory of 2220	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2548 wrote to memory of 2220	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	33
PID 2548 wrote to memory of 592	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2548 wrote to memory of 592	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2548 wrote to memory of 592	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 2548 wrote to memory of 592	2548	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe	34
PID 592 wrote to memory of 2160	592	iexplore.exe	36
PID 592 wrote to memory of 2160	592	iexplore.exe	36
PID 592 wrote to memory of 2160	592	iexplore.exe	36
PID 592 wrote to memory of 2160	592	iexplore.exe	36
PID 2220 wrote to memory of 2696	2220	iexplore.exe	37
PID 2220 wrote to memory of 2696	2220	iexplore.exe	37
PID 2220 wrote to memory of 2696	2220	iexplore.exe	37
PID 2220 wrote to memory of 2696	2220	iexplore.exe	37
PID 2512 wrote to memory of 2972	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41
PID 2512 wrote to memory of 2972	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41
PID 2512 wrote to memory of 2972	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41
PID 2512 wrote to memory of 2972	2512	2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe	41

C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2160
- C:\Windows\SysWOW64\msinfo32.exe
  /nfo C:\Users\Admin\AppData\Local\Temp\seagull.nfo
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\SysWOW64\msinfo32.exe
  C:\Users\Admin\AppData\Local\Temp\SysInfo.nfo
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
aff3e4158859b347eebc43747ac591bd

SHA1
dab24bca988e4211dcc6c5d3a784c056603cf90a

SHA256
e0624096883aa4c12723d9fae1a825980dbd703a6c42d9a31d39da52f58833ce

SHA512
77789a4b7c29d2904aa918b7864bc15115a1b3b757e267609d46a02d3d391055f0bc04214c176a245ba9f9d96331f8808d50af9c394386280c2c803eab901afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcf075d9167bb3d0c6822ba8ba4d04b5

SHA1
42d11d83d42d5e93c8ef4f3755767838afe9d84c

SHA256
b760d080d482c220a04e423acbe6dbf146b1dc4928d8b667446f0d6c8806f95e

SHA512
0bfb8f886c14fbc2e7ddf710404880fc026bfea10275b1805fcba16925e9bceaf863ce59ed152789f33bbcf9b56bc3678602f66b22daaa0e2172a5d072c749c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f885f087e0921b6bf67c59dd1e18746d

SHA1
4dc5ed54e60e4084f57f82e2373c52d3ac8e557c

SHA256
ffe09290396c8daee08ddf73262ce46a79b7c9288e7f276eac804e9bcbccd1d6

SHA512
53f0bd1e70e3d748b77a3af23fdeca207c1b5ee99e0f77f1fb627b578b1c29dd11344f312276f9590d67c44711610a8de29d5aacb5dff41482131a689d2e54e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d04f87a7c67187f57bf4bd01862cd51

SHA1
b7200698b76950b51819e44d27a9ea226e19a20b

SHA256
0e66c30380527da83801d75a12c5f4dc7ab5aa7f6247cab15ebb194bd71e29c1

SHA512
1a590835640140f0899bd4074a71e4bbe2ea453a42e8e3487d30707f6d3f843fc20148b82f934659301576c7d340753a28082a5c480a1c72baac4a716b51a621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77f114d3f1113d45a1e33d9a6132cabf

SHA1
1a63d37d06e3839a702703bcc2f5988d5a81897f

SHA256
4d4c7aeef859641a5e22e5de01cf4b44a3ff1ebd6cda8a02ce4f04c0a44bdbb9

SHA512
bc57a446c24c3a5101c68829d231a84ce5e86c51007046865da49dab0227ce037e17c49a782fc3ecd2775b832467eba0f5e4bbad889fcb60f93f9fc4b89f7edc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23c15e22afccaa114cc75c6a479b0a8b

SHA1
441e30f5e9e0e2d43e63ecd35a4b3149f82d0840

SHA256
e60b02fd866f88dc3b13f038eddfd7f3c1306cc9de40b9905437461934738e84

SHA512
8847bd4cbd1505e0d3ee7695953ae69d94dfed77e87e1ee93963c1da2bc961d80310c430188b567d30376fd5e0a7d610c257145eafca7e0a5a7fd21fc6451760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f4b335cfe4f42bcbaca38fcfb385808

SHA1
385ea29d7126a78ec9fbc45771dfdc812eb852ce

SHA256
e7e94af65c44c650eb77105fe8591d566b6a4659915565498275cea6f6f52d9a

SHA512
beeb078440f74ae234d60929eaf2f5e2bc008dcd91422e1d010a5578b9455ff66790e190e540fa9374325e178d4943cfe27e275b0ad76b72ed5b87787a228d66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e15eaacfbaad0ad0aad8453fe1e61a76

SHA1
99a4954e654129eaeffcb30c0d65e99821e4c5ef

SHA256
cb7b783e073474d8a061718beb114f23824e5caff9d96177fa51a905b478c9ad

SHA512
df54da1310c9078fc718c3b675535541fb10de81019620561c429ca87f0b87ea2b81c024f2eee91cbdb8f1ea03319b98e498ff63a9526b1f4737b98d2ad2cdad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38892bdb939aeb6d2366d48085206d33

SHA1
6f96bdf7d4f32a36948e09a44302392b1c262805

SHA256
2cc7bcd1c245d8b2be14db50e9ecb697a667927b3e000de50c52496aa55d806a

SHA512
10cbd1dee3dc561a55b8785c508c196166446fd3f567110fd595380fde89fd782232ee3f65c796c8562ba2c2299d143211bb13993c1dd31161c0b9c5ffb4e6bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0ae6535042f221ea05da5ffc44cd60c

SHA1
3379130e5174d385967424bd6c288e5fd01525cd

SHA256
a39a3ad3b01ff20d99d4a04efecc40fdc182a390cf90bf24b00a836385d4919b

SHA512
7be6b8c2d1c7b2e6cfec7f93deb57ceccad10c22187f8d4132d16792cf60028855dc3d440ea4da65e0fc965b35e128fff19e1e02bf98faf22b562c7605a2be8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e7f91b77c702041bbcdc4d6da430197

SHA1
3772191392b5b87f4414776d15c8ee8c3f078eb5

SHA256
e42aa9b604c89286b1b52cc26ce3737275e22181ee3a69815d137d6e7a492e3a

SHA512
e52efa8b3738437256f738c56e5cb3cfa7116e0e0ed41b4559b33db3e48ec89a70a3493a5d9d9381186b0259992991bbdf647d705df2798f2a565f5161941424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ff6ad1ba9f7a0597e0b37f4da35ee17

SHA1
3b21ea0aa404485cb1f6c021206b27b7afc7ae73

SHA256
03c276e38504fbd6da985f7cd7f37845a25af26a7006cf2e4355ab26b7b619f0

SHA512
3f47809b5531b1310d2fe646a02279bc5fcfe99a277599c198dabe6c52f5680c43a1e4bb3fc2cabbada9cebd563fb750d1eebe4091cc154819906eadeb9259b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b7cd241bea382b02e854d6285195b32

SHA1
29b41165d8018aa757b1b1e339929308679fb4e3

SHA256
76e8b5ea9ce8a29ac0319848e9ce3d87dd819db2df687915b477664a9fd73e51

SHA512
67280c6432f93af293509f9000e78330a3d7f28c8f699df6024341c0e584d68c2a934cff52a7604d04d7d5a0c8b952cd80d8adcdfb9b1d0f5bb54fd1de8defc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
badaf3d4f3b7534e39638303a9654f0d

SHA1
1943a47d3f75705f558d82272864468dc1707715

SHA256
62c55712106351a295bd93192db28ec6ba36f38d056e1143108d085bdedf583c

SHA512
b620936bd26d08433463be4e22714c11114d94d179a44decec3c51a7343a57b36e6985ef93e8842a3abbf42621d60cc713cb01203525a0ff5eccbe8eee7ea95f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26198c68b8c053d9786d56add6947f54

SHA1
e2f219c667de000ccd61cdfaf61c32d86038d12d

SHA256
0ac01ee3bab25c5d885bcf6c94537d246b441dbb54524e9ec68e019abc0a961a

SHA512
05fdec254211d354c348ab4432b29956fc1c73f9bb0b5c2112d7584f1849d648a46a6941ce1df87584e67ef510600c27d800beffd3525ca280daed355545527b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
883ec065600a8c880fe6ed94158602e0

SHA1
00250fa316883bfd50447004513105fc48454787

SHA256
a329303896d73c7e85b6b4541a197d3cdf26ebea66e6de330e51905e5e57d072

SHA512
cdd088c5644236d767bf028fb7ad917f312f4f1c218cb6943c75f75c2bbde575a4d26c3e339b16b32e5bc394f476496cc14bc4940f24cf820ae89828e999313a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b959874eb579d51d6c872d8e9e09ede5

SHA1
ac934d2aaa2371ffe7f7a62a318c4e68dba47543

SHA256
e298dfd53612d4787a106a66e5925c927ad1a5f2f7e81dae42a07478f7a69c53

SHA512
2314a16b1b50c9679bbd627d8cbcf428840d877ee4338cb491bcf8146bef10e5cd895c466551b160fe43d73f04aee0d9c23103f4aed3cf5dafa82f4e05e3989c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01e6e8a7ef164ae2dca04618f050a596

SHA1
9ca477366bb099c1e61b1910797d286509def2ea

SHA256
ad0c393fccf5a3d0783c4f4a8bc9dc0968f39fc991490197fc63ceaba3d11eb5

SHA512
c256581139844e9098362b99b80824295677622d5b8834fdaf55ea4aada5aa961aff47ed00a133a043f1b2a7600ac5e041c0e9fa279b8ede28651e9cdf1cc2e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
210f9cea11e5e91f96730c3dfbb83aa1

SHA1
486331b4558cd65a532faf4c3d2ce58f30155a96

SHA256
03838571964e92d9b8a3a74e0db4c3c848121f9fff23739b0763835b49dfa531

SHA512
975ed62b01b5b570509f7d2670d30604dc421da7176ca00600d5cc610e9a8fe446868af909e5746ea4e3ef6a7460645dbbce69a1ae08773fdbf3431c572a1758

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50bab3647bc7a91ab740a23e525bde2e

SHA1
6c80a5555ee9dca3a2528a1f45f5953e443aa320

SHA256
0d7e3c9a906aac92140014efa7193ebaf5382bf2a2346b8eeb0441a1130d6308

SHA512
cdf21a0371f716732c8aac3346835cdd14f5419f1b0a40a4eac2703f12f08848d195a68c356b82896a5a0024ee02f8fc954a311de3ccc17c54ae724419122101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{76239DB1-A590-11EF-A0C3-D60C98DC526F}.dat

Filesize
5KB

MD5
7f5be7752f57f733202e16271c91f182

SHA1
67bb5d6a7d1d405babaeed3d00e236ba2af05f8b

SHA256
46604f3c3439b26970cf7487c2cf9336814ef938b61ba2927598f2001ab7e440

SHA512
32c256b9651d817f8ef17a3ed5c26ef2ee9c667039e45a041bf5112fb0dc7355fa29855c2f337479792070a960184507b6d937526ee43769a9b76ce330a37aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7625FF11-A590-11EF-A0C3-D60C98DC526F}.dat

Filesize
3KB

MD5
6c63c686209c3109c94fd62a64a51ed2

SHA1
6a7c1485f164a813bbc8359fd9c8aa551c985a35

SHA256
dbc2249558d0f890577cfdaf0a633b8a6953afbd1ccab35a691be27016b134e0

SHA512
5c43c3c0f838d7453836974b46e150b27d92ab31dd51b2a600b09d12b76f0dcb92442109d24eb791a3087399660abeada8074aa9e32e34961ce39f5d12fed7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-18_4a836e3e0b5335f5f5ff95dbc9c0e725_mafia_ramnitmgr.exe

Filesize
177KB

MD5
5c65d0f7ed0cf850e4e9cc219233d133

SHA1
093b25fe1598dbce3c9cb3aaf7da89f9e6fa321c

SHA256
c25c2eaf1dd5165bf46a36d9420d7fe718cb866831b91f22f55561fed08c7f4a

SHA512
2d404c860e037bc7b7e400ff2369de91599f15780d82364f119b356706aa3140499816c00a2bf99ba443206788ab0da527b16c3057372f803c5c112c2eae5d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.nfo

Filesize
366KB

MD5
5e8b83defea76ba0a96c78a3825e6b6d

SHA1
cf61b124a9eb41075395750dc27d75ff0a9d2de8

SHA256
fb6345468c96c434764901f01515662f95431e260b3e650b6139026ddc6ef7d1

SHA512
03edacf06347480b0cb806cf1d5555148d2375b9ca150b073159a455ececfd3f6666c291ab4c0498faec81e644e0cad2e0faa837fb7e2c61befa7775d6ba2a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF66.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\seagull.nfo

Filesize
351KB

MD5
0aa861abea868e24fe011a9cba770cab

SHA1
4c71a09579a60db3be4891a56d453da59a437bce

SHA256
84db1550aa0d6eaa2818b246ce64a63d547c8c7fe18e5d1ee07f740e6b751c51

SHA512
a79d534826733a18d877a2eb6293cd5d0865d0e51190eda5f9ff6782e43431a6b31079ab71c082dd3b1004127ce8e6caa52272343eb1556fa1f0d67905af4059

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
80c225efdb13b59d43f723c52384a4a9

SHA1
f4ed5de6b8918118b46bc03785061d2b8d7c0716

SHA256
683b3636964adde51a23dd656ea5a434ca9b71b077c0693297c1b25b85c31845

SHA512
f41f35d1939648888fb85e9dfcc1406f9b4dfeecf0063f0f44853afe15ae4ca0348f56da1bc233e31218635f3e3de46eade9bb3c2d62548f0aa487b2fd0b20a7

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
b1790fd6516809021df7db85b6d4b994

SHA1
cc5b6e07276d0928bd941112891098b2e3bf745e

SHA256
9b978879cb8b06191c3681b650229c5192d789c42aba47760ca4a14a288b7980

SHA512
32ad105a39db566322a75c1f432f0e8ebd8e3fd24667788bb470ecadf22a1f66c56c38bb2bd154fd97adc4c44cccadee751012d99b20dd502a16538f3c4701ec

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
29f7d8233635552ccd766dfea3692ba8

SHA1
8439f4b9d193c149721bc666654570f4c990b0c2

SHA256
95baa39e9ef8d95d8b6731aa7512d21a4575ad5922ce72eb2e3c65fe69560e6f

SHA512
5d3513922aae2e63b3af9dfc1f02bb6cf665b90ee61992a1baadee2633258d9403287f462685611f39582fe2b2be0a15a859272d7ce9866de39675683bf4dd14

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
17a126ddb95ef8870891939fba001650

SHA1
a59750b87cbf3dd44d6aaf17c0af1f0d06757b8f

SHA256
1119c02976dc7236ce006502dd0894bf5361e1a6cfb099b4e78e75a78925d701

SHA512
78df1dd57a3ed9cb50a2fa5d137a57eaefb247fd58414891045f90be22418bfe3c719d80f562b9bcd5d12641f519ae6ba954a94123884d5a2313c8a2b1e6f977

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
c2b15c432773c8b278e65cbc3ba2f299

SHA1
f3ebdb6f78118d3fe89fb3d065db64dede1c267b

SHA256
bd1f8effe518130dd2c006c86d5617c7181300e6a1ce73dd92d2990f6892f223

SHA512
044bd33f8519602f814b5c99172ff2f25bf1ba9464bd1bcbe744b5a685d1b4e3338b4a7bfd2bd45ff7524cbc6ccfd5b63a1bd04e2a3454aef67a4ef0b89acd77

Download Submit
\Program Files (x86)\Internet Explorer\ieproxy.dll.tmp

Filesize
340KB

MD5
86678c2ddd7208ce077b1d3e8cfa4614

SHA1
7fc7692872ec2a1aae1708e11d9c2c3e3e1e3388

SHA256
db460f012a5194d914e4c415dffa4f574e7df03ba672c86f7e43913ccbd86236

SHA512
2554e816067dbcf51ca78d19d7e83fea3f43860ae480821efc3afc911fd714fd7cb8fa7bcbc5b33f4633b31dc17bfa77d1a866da4cb8fa552f8cbe81774276af

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2512-52-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2512-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2512-0-0x0000000000A50000-0x0000000000AB5000-memory.dmp

Filesize
404KB

Download
memory/2512-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2512-963-0x0000000000A50000-0x0000000000AB5000-memory.dmp

Filesize
404KB

Download
memory/2528-378-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2528-376-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2528-21-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2548-25-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2548-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2548-55-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2548-54-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2548-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2548-53-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2548-23-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2548-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2548-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2548-20-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2548-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2972-513-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-390-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-516-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-527-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-522-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-962-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2972-519-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download