Analysis Overview
SHA256
7c84c1045054b6894b2e12c602a257e1a48610f875cb0e59f12af35bdca9eb03
Threat Level: Known bad
The file 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Detects Bdaejec Backdoor.
Ramnit
Bdaejec family
Bdaejec
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Checks computer location settings
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-04 23:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 23:21
Reported
2024-12-04 23:23
Platform
win7-20240903-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Bdaejec
Bdaejec family
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ramnit
Ramnit family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\sidebar.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\DVDMaker.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MSASCui.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpCmdRun.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\sidebar.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\PDIALOG.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439516352" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B49B7D1-B296-11EF-875C-F2BBDB1F0DCB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe"
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2f2d5de4.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
Files
memory/2524-1-0x0000000000400000-0x0000000000422000-memory.dmp
\Users\Admin\AppData\Local\Temp\VZRKxm.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/2352-11-0x0000000000960000-0x0000000000969000-memory.dmp
memory/2524-9-0x0000000000230000-0x0000000000239000-memory.dmp
memory/2524-8-0x0000000000230000-0x0000000000239000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2792-20-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2792-24-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2748-33-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2748-30-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2792-31-0x0000000000250000-0x000000000027E000-memory.dmp
memory/2792-23-0x0000000000240000-0x000000000024F000-memory.dmp
memory/2524-19-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2524-36-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2524-37-0x0000000000230000-0x000000000025E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB2ED.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB35E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76d7bb1365885b429fd1aa42d12b2dd2 |
| SHA1 | b5d934946b161431a4126365712075c47c8105bd |
| SHA256 | 84f90ed50f5404be0610da5e1510664efe91f4fb59e2ce63e6d088c8bd96cd6f |
| SHA512 | dec1ba39a0cdafe9a28c4626662a5ac9cdb217e6ecb0aa23160453a8d2f806da1138e325085c62c59991197ac50debd01634185ad804d8896e4f8f920104c6fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b960c9d113365723abf66c7e9c5e528 |
| SHA1 | b2b8dd0757cc3f53873bba7e0357a3b0100be69b |
| SHA256 | ec7f437d6d60e265663e9e46b5a3dd593f64d9547ff9157f9e001d3362766641 |
| SHA512 | ed6a33b4723669c6ce04176173b08ff8b88168e6cdabee24eda4b99a09606d25993d28a6a5849206d02a49e0a4c3edaf35985cebc93ef5b1c0553948fbdb28aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 107d3100283773ae438ef166b9bad5d2 |
| SHA1 | 1d41dee016eb6fe9d713eb6b05685a9ae8af5f60 |
| SHA256 | 2657e741ee014beb15d5ff3ce0f0b0151e5e9c463dc6e36ad03c5437134bf1f6 |
| SHA512 | caf0e48769859b1b67ff063d18d93585ce9e8eba926c4694c1438bed890a8c16edd54c03d43de4865fe321bd63bdb3b6175968b3d94cc436d1c5621dc01f8799 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf62b0ffb3f5602d3f86aaf8a889529a |
| SHA1 | 60c5aae66deae99619374095762c2243724f9b9a |
| SHA256 | 8a62a053aa4393fb5b104a1027736cc66aaa4434d4f386261fd738cd5cbe7e41 |
| SHA512 | 636db321f87ee2b250a8658e8d8882ab1c57cca4ce7a85df1a57f9735a3323a9bf018ae3438d6befea31e934be929b2faade654feda5070d08b7a846df7828fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9f1e81d5e377a86a1619cc06f3b0788 |
| SHA1 | c33df966588ce1270f6bc4fbfd4f8384a83cf1f3 |
| SHA256 | 072553f93e6cd2dfca8833fa146a67b9472338a04fc6ab099513d81dfc3fba66 |
| SHA512 | 3586ce15afbfcc79795a0cdd19404806bc40743ebb8c4276ef15f2a6ed932432aabd384812b9c84292fc5bd841f0f9f2b2e99a9803d88e9842e48b0ccc7fb91a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9685a943e9df503cbcde23b2f32bb5b |
| SHA1 | cc90c90011e7a81a735acffb8c4e0931aa4a274c |
| SHA256 | 890a02ec557e0584dbe946338bc7d511ff0b7874154d22f0d33151e3ae292739 |
| SHA512 | 8dbe89fab2e6aeefb353dadbb9378b7a2139ac3f1deda434daf9e35da0c0d92409cc7aa16c7d1d02d66ff09d480506659da0141aed2904e9472a46f83b4865d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17249400fd45a9abeb6d117e2e24c84f |
| SHA1 | b14acaa56b2bfe0e223669ded0b51b6508d24ff6 |
| SHA256 | 038fd6594dfc8d2e96c47e3667bbad31751260a565f1b8a16ef2442eb4c99abf |
| SHA512 | e61e9d3a5e321e6b0f24723ded4a00d3205fea775b9499332babc39ea6f800245dfa825fcb8082d3f833a506d80d2b5242cbb3d53958f87cb88870f9db10258c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22f43fd160d5835be4265b38c5d6af88 |
| SHA1 | 25ae637f1d626541da5aede878fc959bba750821 |
| SHA256 | b7a5977cd57583a00f48e160e22e8cefda234972e20fb793af9b6e21ceee0ebc |
| SHA512 | 75e406e47044ab66824a0d50a79f8ab7eba40b1a8c59f80f1f33c625c5d0b94c089b23aa846ac12439afecc93863225dad8d3ff3e21239e38f859273c7a6af6d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47eaaac105757a90cfcf57ffd6a0f0cc |
| SHA1 | 2224ba5fb0b5e02c79d65ff79738926ea569c100 |
| SHA256 | 9e2774f9ba32f4a155c3491b1c25dbda2516fce5957674b97863aa9874d1ca08 |
| SHA512 | f259b361e5ab3a6109062833c49bd1c81ce2cb995cebaa225515bcfaf84ffb513c16ccf811fc42e033a2ce4d659177b2868f0217d8892907fd76b95181702c1e |
memory/2352-466-0x0000000000960000-0x0000000000969000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7594a4e83e7d6b137319b3c3badee4e |
| SHA1 | 5ea14ff738e1124d79eb570bb433d58a338c9930 |
| SHA256 | c163e0becdce961d80749f3f7e5df9e57d29b30876be4251a18252fed471f69a |
| SHA512 | 656c74e87330cce1a703d8d9152972f8ee6cd837ec2421228d85ab27c7a620b370392b2e4339a8d5103910ba175ada12d7dd7e09e5d345c4e8347211fb6c7c15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bb19de89fefbd1d3b579b20903c89e9 |
| SHA1 | 2b951d08d90a8786f250ff7b07c146c1d93b87b1 |
| SHA256 | c1ead08022ef8c3a8df12238a0242e0586a76d48267236a897cc121c2dca0e6a |
| SHA512 | 27225441ba4d2774c954f8c53c7739b3761a760cabf3ad2f08273071f78fc601452ef9f8fb83eda284bd9bf1b016dda6cdaa596beb874a8153de02f75b0446ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3b04d7cf8c5581de9a8d88bf52d8378 |
| SHA1 | 66fdad2c40402307baf732f8344c1499dca9f637 |
| SHA256 | 41fc05df4e9b1e3ec761a9d44aa44b3518128a867a7e1510f8abe865342c03f1 |
| SHA512 | 3a5f39267ce966c2fc1b808c9585cbd318c54ada28f3712189213a3f4cf8ed0f1110b10387845bcf3465366e964291899ede5b09e075cd6e7c13ebbc3a3be605 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bcdc70ff3ae84b566c8c3137fd4d62e9 |
| SHA1 | b60ffd85e9fa348e45fd90d8e887253d53cae3f2 |
| SHA256 | f0062f0f02a8faa2ffd14fa2de096ab38a6a5e01a1c910e8dd1a2ac59b1234f9 |
| SHA512 | c9b4e25dbaebf8a7aca99893e8bf9dd3219f53e937ddbded118804d7d9f5a29508b5832e2dd0ffdcb91a6d0173bd49570dcd7e4a634652a33c406144254c10c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91528e07bc253ebe2098445d10a65438 |
| SHA1 | 67974d064161b24e1d438e1424ab8021762b63bf |
| SHA256 | b4e3c703a24ad5f4054a07903596779dc12ee4060c2fee76c2be02785d8f739c |
| SHA512 | 0f4ddbcf5be5603a6b45219da6b68eb10d44fdb651b8566991037220ed70439cac38ce52f5d7c89d010cbdb39e8af2d30f4874ecdaf31e6e0dfa07374dd7038e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 743c3597ed6acc4b4db338ffe6f90955 |
| SHA1 | 0bbdb1feacad8570547bdcf4842f38dc15b73ca2 |
| SHA256 | c51153f036416744c75394eae6d832c07af97f1f1582959b9de4b1dee7b6f443 |
| SHA512 | c7830b297c7ce2980e14454f76a7d348364195e264761bd26d10ab68d3b053b489056fd0cb41e3c905caf57868a9a3d785a4f98f8b3583455decc443f2a7e744 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c058353db5f0804c69f0d2b1c18f287 |
| SHA1 | 1332f5edb98b31bc9396f2bb3cc54c6297f00bb1 |
| SHA256 | f7d2b2ce2072594c781aff87358475e8dcfcaeb3931aed2f823e6ed90099c080 |
| SHA512 | 3627f672b8d6bdb95059d54366045856b4727664bbaf076e8730b8cc8a62811ca49e7ac5872f41dec39934975ffe4a176ed428dd27efb0a2c19631f88568372c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43e16c848d39f29ca178efdecd8c9f49 |
| SHA1 | 9b59f8909fcab83602ee0055828770b32cb6a042 |
| SHA256 | 6f701888a74a57a3a22779feac5a94f9515d45101e9f6c12dd7ec795107889a6 |
| SHA512 | 16ac2927f44644e5e6783babdbdaf5f418c82f1bb1a1c46a75b6d54edc2fe81afff19149c09b12495fd8616018639eb9dfa15ab4d203ea8ac4c3ef6298efbb29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 832f00e016d0ad3eee1f489879fb51a4 |
| SHA1 | 02c2df790364b1d1248bf11e4461693050acffda |
| SHA256 | cf3d3d72a79c6315ed229fc43132c85394ce2fc096b88b5cac77239baeb28427 |
| SHA512 | f4706407649dbaacd6ee50c488cd932533f91c0992995d17da62a95cacfa1376d4e627db1326370d7e71d541de9769e981814e5216c1b955b46e6462be3996c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a54cf69d873ce9db02b2e91d0a8e86a |
| SHA1 | 786a4aace725f4fab73883e4630ea601b9248609 |
| SHA256 | eacad7402b55b47c250edafd959f1f988c9429e0a798d2b7fbc3df22b4e681ba |
| SHA512 | c6a98a28634bcf5e66cccce9b438d4b7775937c35b0757e95388250ebf7e8356f2dfe4e35ae4a44a9911f75ab1df2c88d519bb7462378e58bfe1be54e597ec80 |
memory/2524-905-0x0000000000230000-0x0000000000239000-memory.dmp
memory/2524-906-0x0000000000230000-0x0000000000239000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2f2d5de4.bat
| MD5 | 2b84f68ec4fc7ea91c225f475796157b |
| SHA1 | 47eee53ea0f6d5a3b38a7c48cfb2c89c98339c42 |
| SHA256 | 5505e36c503923f2edbc252709ae4ee6ce6d338291387a4afd8bc341825314bb |
| SHA512 | 793700cab10fef01b6245b9683836551274b4f513769f30bd5d05219cae5d10f65a7ca34138b7c7fdc642662d84d8a88f1d0c62fdc62a12fa1bb5b77ee00b63b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 23:21
Reported
2024-12-04 23:23
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Bdaejec
Bdaejec family
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ramnit
Ramnit family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoasb.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\msoev.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVLP.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1344636947" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1344636947" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1348074113" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147683" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B9F5F9F-B296-11EF-BDBF-CA65FB447F0B} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440119461" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147683" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147683" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe"
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\131d6e2b.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/1808-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/3316-4-0x00000000005E0000-0x00000000005E9000-memory.dmp
memory/2424-10-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2424-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2424-13-0x0000000000550000-0x000000000055F000-memory.dmp
memory/1960-18-0x0000000000560000-0x0000000000561000-memory.dmp
memory/1960-19-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1960-21-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1808-23-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3316-24-0x00000000005E0000-0x00000000005E9000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 1febcd32ec103d1677cea2e73245ffa6 |
| SHA1 | fc35cc168291c490a78416705e90cefde5627fb2 |
| SHA256 | 5bdad5ebecb1cd1683243aae582b801c2d63dd9d18ad434c006fdf294e83ff38 |
| SHA512 | 24ae00db57547a7de9623cd557b9cff5ac42295965ad201163bc13eb39e6077f31cee2ace6986b355dd7788396c11e95b961390add8f587b7e57ca10a2c213bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 3a151ee5b584ad767bc8689ae7ca2f14 |
| SHA1 | eade4f2b6b72d6f5040879365394e579e6ab4077 |
| SHA256 | 295c57b19237f442c5a3de3a22919e485d6deac14fe50c6470d2280d79d3e6bb |
| SHA512 | e541876cb8990f0b7fc950d3aa35ac3cb19ed32e2496f2eaeedf64540c74db723fd9ce16819677e1bcee43008e1cea4254d462aa344ce07f3469d41c561df0e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Temp\131d6e2b.bat
| MD5 | b7d83b364e940fca77a7dbeb912fd4c0 |
| SHA1 | 679f9934d19adfe342646a1e55c712e9ebe7a236 |
| SHA256 | 7bffab5ec8bc0f12a6dab67545e8f2bebd05f038ee3b09c558c3189b0f40e17a |
| SHA512 | 3716d524126d2b074617ced151df20cfe603390c2ee1e19cde6193481e9cd2a1a7def26c2aeff04cfb81b4e837e3773ab1f66c1804620dce56f30541d8150624 |