ramnit | 4e71af185ee9671e727603c68783933570af4d390ba9a5bba4748f5f0c76f8cb

Analysis

max time kernel
74s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe
Size

3.2MB
MD5

a6cd077b95edb75bafd6ab795564ce93
SHA1

e0d900ab92b75036366824c2c2b8a507ec41923e
SHA256

4e71af185ee9671e727603c68783933570af4d390ba9a5bba4748f5f0c76f8cb
SHA512

73f8baf2ef61122fbe3216317ff2d66063cda748e076c83f9456dac40e0e04d2bf4c9ae528f7172ffe5bc42c8902623da03a0bb3dbc79d43e4beb405f6c48e7f
SSDEEP

98304:+YzuLnwr0vBYtaifm46VIdwL7+LRPU/xOnoj9ghi1RebMIg9Cbk/V8S7iGY:+YCLnLifmJ8RPU/xOnojDIg9Cbk/V8p

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1128	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe
2424	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe
1128	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012266-2.dat	upx
behavioral1/memory/1128-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2424-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2424-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2424-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9B07.tmp	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17080D91-AA75-11EF-B985-56CF32F83AF3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438622404"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2424	DesktopLayer.exe
2424	DesktopLayer.exe
2424	DesktopLayer.exe
2424	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1688	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe
2936	iexplore.exe
2936	iexplore.exe
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1128	1688	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe	30
PID 1688 wrote to memory of 1128	1688	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe	30
PID 1688 wrote to memory of 1128	1688	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe	30
PID 1688 wrote to memory of 1128	1688	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe	30
PID 1128 wrote to memory of 2424	1128	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe	31
PID 1128 wrote to memory of 2424	1128	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe	31
PID 1128 wrote to memory of 2424	1128	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe	31
PID 1128 wrote to memory of 2424	1128	2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe	31
PID 2424 wrote to memory of 2936	2424	DesktopLayer.exe	32
PID 2424 wrote to memory of 2936	2424	DesktopLayer.exe	32
PID 2424 wrote to memory of 2936	2424	DesktopLayer.exe	32
PID 2424 wrote to memory of 2936	2424	DesktopLayer.exe	32
PID 2936 wrote to memory of 3052	2936	iexplore.exe	33
PID 2936 wrote to memory of 3052	2936	iexplore.exe	33
PID 2936 wrote to memory of 3052	2936	iexplore.exe	33
PID 2936 wrote to memory of 3052	2936	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
601c3e522f008db83165aa046f86eac8

SHA1
53a0203194ba26796dc57801c09a78b1202da03f

SHA256
d9fae9738bbc31c112c48e0a1e0a855628fc25b9b070779865d84370cc2b2b8d

SHA512
aeff3c98cc02aef4da391c2c8c8c2f0eff467b5bd8c78792d706d2fc97165f1d945116d1ae1420547731892aa0a98e2f192f4f29a1453145cb130af9eed69292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3e8ec29029ea29f80d8077868a65069

SHA1
61a06104827446da3c85ae1590d9409329ead3e4

SHA256
93f400c41333fce0c68534df644ba9cb00b46bdcb9c09d26ba4b6c3b417ab340

SHA512
3e5a6875f718c4d1b9018b36b62897db2678ab88972a4876e28008d65bf416d477e0822167a88633fc18a6a24b0e8168ef524498ad38f4b7a01c55e9bb49f2f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97207ad51f43a7cd6c6cf83e15dbed40

SHA1
ded816cfa099c06d238e1ab2941262e5adaab321

SHA256
333e5357ad9b8a75ca136423a1d9e671f4949b807c74ad5d05c7cdcdad5c4d3c

SHA512
51acaafc4e484757a5bf98c7ec54c24bcbf58a561d6e5179dcf71907bb19f6f99654c4e220dabef8ca350d91989d49885108a6ef39549365d3752ff20ffa1eec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
613d5a3fb8279130b861c1a874431e63

SHA1
294143ddca32503e88943b7991da95b6cc96b102

SHA256
8ddd03e50902a8d455f9576e43de313fdb63a0df6c26dee1d7f6a3125fc6efb1

SHA512
dab4b97c7bde158660c7150b2bcbbf0d7733dff06affe647e8ce853796b6a327a8a43d2c6f5aeffb89a14e7a5976fbb5f3a12b11ef528113f20c2692bd9d0fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73fd1719228ca443b28c30256a0ef73d

SHA1
c0127e2652b3125b30c81bc0fcdbb5159549536b

SHA256
e2b558b87ab36c31188b7ace3f3730742829feedbb517c7eb983ad77c3c0a756

SHA512
2e0e0e6c5885f3eb131249b8fe3930f351bcac12d56a88d94bf477cdeb089de15452f9ffca112d27f840df07d4b956b6a36f3f2ae832d59ddd27267fc207c9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1be482459a07f3915d137927f46f2a86

SHA1
4063851a1e145dc19da2e93036dab0c78bf9300b

SHA256
29c654a20d5f89da0eae374c385eb28e2b7c27f5d2a3e7ff43db7caf46d63119

SHA512
e7a02073768bfc82bb20307b00958d19b7210abfb44af2d1dbcd41f8ef5603df64553dc97ff9c54ca86ed10f49734850a5dc74adf71d4972a17b12f3dd70ab28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a8fd08bfc64e88822cb9c27d5829dd6

SHA1
17038e16194e365f095a2e78a1bd1b4b9d9badcd

SHA256
c399d80289038753109dad2a0a4d45d6c01a2abe4abbedd277bea274599db008

SHA512
9b87ee6fd74ded35911dfc62e3addce2c358d70d089df71eb7baa5e37092b0016cbc4f65b79d79469e6be8ea3a0eea1debc9bd0656d3f540ed10674d5236f5b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a5a51208fc815574c9e3ecfc7689069

SHA1
3b5e9936f2be3b15d359b3f9210eb94449875c5d

SHA256
9947224d3d9a238088be8ca39d9d0ff70bd92f9d40975c32bed2e2469a446ae8

SHA512
c0400efbcf734a0b5ddad6a147e42dc2e2dbc7f8f72559bb9929bd4f15a7ba3ff2cdf9821e4ed7970f700b85fea7c3e9d570e0d9afa53ec4168c3b507d85cbca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1869312852beb7ce2f53614b6e5ac3f0

SHA1
7db9ed813c7080774b2b688e05280bd6602982eb

SHA256
11d66c6843aace653ececef54ac5a71f2b2bf81a1c7654d96221ec7893c5dc45

SHA512
16bb73b052cdfe4c4f766a38c8b24676ea783929273880f840e57777a622957179b279e1363da5388f482128a135a87bdb5d1c032697ff82f2eaf407b958844d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ea6d8c6eb76975c285db6938184fbdc

SHA1
c1f423b8c0e6af0f8f8f7486dd946f4d0c8d0eeb

SHA256
b96e53e3ab44cbce0037a1ecb6059b86d89c83e173a925b55453ce4ee6da5850

SHA512
bafbd98135f54f93524974e6971eb4dbd4f2252dd5d747daa23c2299bb9d0738aa474f9703d8c552488ee57660fc487b34dd085e539e1e4fa59f97e318d87ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
653f29fdd826876467015b2feb636333

SHA1
f80fd35deb81b2d04bba4d501407e122d9de763a

SHA256
8b0455faea34460c5c0f504d8fe01f7b3c2d56a44857e793e141827f2bbbc947

SHA512
86cec4cad3ee8b0f96dc17a7bfde7ae60b1edba74657b7d83c510f544ddec09bac06265a04f254ccf56f0a827f4737ca548ecc97e86b0ea515a5d7f6582b8016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
387ccf5dd81f2bfbb8edf20baa71d4f9

SHA1
822800236b1d186ea0a69a92f0c0123b4d97560c

SHA256
ff0467e3b95e7b89ac49e77a3d18175e6c5d46f603848ea4f60f07b161a42ae9

SHA512
264b9b44c0a2fa5f5c9851de012aa74f60977bd92649f735972673d28bb3f729bcb80ecb72e8d18df280a6fb3e81051c64c4f8023204a4aa5b139c66d1288294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
493cb5697171cd0614be8e862f8abb31

SHA1
4d230c954ba5045c95214b5841293bfeb6102a45

SHA256
77e30752e4855c3bd8fcccf9543d0ed8cbf95952eae407190cd67c337c283bc6

SHA512
b912a7e40bf439f01b5e5ea9d52eaff70579aabd278ccea95a535a4cf19e04312e0c1deedf18d3155fe8cf0bbea3984dd01d1ab91a5431abdfdefcd19d64a904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8737e5677408ba810179ece3482e354

SHA1
6b3a9dbf1163fc9831defd38a9e533ba838e6500

SHA256
2f07b5f33641b31587b5a1804bd3e0ec40909440f395bf88146f689b8bd2b3db

SHA512
bd720a943e6af183705c686b5c89f5b782c697c5e474d97c95ce7a91971c77392aa0bfc90a2e00e79841074c4b0a4f495350c9151dd0b4f3102d8f4ee71cbdf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ec95038b4fccf6b38a6e26136a6250a

SHA1
aa145295e57116ec59544f9d2c163e7acf4c0a1b

SHA256
80139ebd9edf99389c49bf125f45ac013981589e86d9240ff348e2334cf884b7

SHA512
abef2d42991c1aca839237e8548894e666dff86017829783fb02934bd39dbb711302853acc291075b6c8948103e4630319d8a91317131ffc2e2fe51f6cd2861a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12bd8bc015f751c885a0c206883a047d

SHA1
32625dff5404276967a92597522b996f184a2b71

SHA256
ab43932a24ad15dcbbdfd3c0c5e2966be437ef520f3608b92021db1f5e3d97d5

SHA512
a08f05dcf7d823822606800165d89c74e3d6001f91d77f96d597524b9a36d3f391712b374100aced19ccc98a538f71be283e94bdb573076d2c8fe257215187b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB55E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB61D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2024-11-24_a6cd077b95edb75bafd6ab795564ce93_mafia_ramnitSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1128-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1688-5-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/1688-0-0x0000000000FD0000-0x0000000001319000-memory.dmp

Filesize
3.3MB

Download
memory/1688-21-0x0000000000FD0000-0x0000000001319000-memory.dmp

Filesize
3.3MB

Download
memory/1688-22-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/1688-451-0x0000000000FD0000-0x0000000001319000-memory.dmp

Filesize
3.3MB

Download
memory/2424-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2424-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2424-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2424-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download