Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe
Resource
win7-20240903-en
General
-
Target
2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe
-
Size
132KB
-
MD5
58106e9c40b89aa095fd22658ffa6e8d
-
SHA1
4b7010b1df0a203ff99a0f3aea50898337d56f2c
-
SHA256
7c84c1045054b6894b2e12c602a257e1a48610f875cb0e59f12af35bdca9eb03
-
SHA512
f4dfdda8e2163d4e2cf9a464972a4e2b3f618a1f7559050c8a3a432a191c8ad54d44e94f1a97b6526b1b2058b0c95fc043ef2ad4d90878416d137353222a9295
-
SSDEEP
3072:pTKbS75Attg3bPMmAlJG/ybuuHicEG+0GCH:4bSOSPMmaJGwuuHUG+J
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/3068-469-0x0000000000A00000-0x0000000000A09000-memory.dmp family_bdaejec_backdoor -
Ramnit family
-
resource yara_rule behavioral1/files/0x000d0000000122e4-2.dat aspack_v212_v242 -
Executes dropped EXE 3 IoCs
pid Process 3068 VZRKxm.exe 2452 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe 2748 DesktopLayer.exe -
Loads dropped DLL 4 IoCs
pid Process 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 2452 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe -
resource yara_rule behavioral1/memory/2748-33-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2748-35-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2748-37-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2452-23-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x0008000000016d58-21.dat upx behavioral1/memory/2452-20-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2748-30-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe VZRKxm.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe VZRKxm.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe VZRKxm.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe VZRKxm.exe File opened for modification C:\Program Files\Windows Mail\wab.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe VZRKxm.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe VZRKxm.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE VZRKxm.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe VZRKxm.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe VZRKxm.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe VZRKxm.exe File opened for modification C:\Program Files\7-Zip\7zG.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE VZRKxm.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe VZRKxm.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe VZRKxm.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE VZRKxm.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe VZRKxm.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe VZRKxm.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe VZRKxm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe VZRKxm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VZRKxm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439516528" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E43C43C1-B296-11EF-B38B-EAF82BEC9AF0} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2748 DesktopLayer.exe 2748 DesktopLayer.exe 2748 DesktopLayer.exe 2748 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2744 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2744 iexplore.exe 2744 iexplore.exe 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE 2708 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3068 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 30 PID 3004 wrote to memory of 3068 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 30 PID 3004 wrote to memory of 3068 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 30 PID 3004 wrote to memory of 3068 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 30 PID 3004 wrote to memory of 2452 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 31 PID 3004 wrote to memory of 2452 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 31 PID 3004 wrote to memory of 2452 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 31 PID 3004 wrote to memory of 2452 3004 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe 31 PID 2452 wrote to memory of 2748 2452 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe 32 PID 2452 wrote to memory of 2748 2452 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe 32 PID 2452 wrote to memory of 2748 2452 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe 32 PID 2452 wrote to memory of 2748 2452 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe 32 PID 2748 wrote to memory of 2744 2748 DesktopLayer.exe 33 PID 2748 wrote to memory of 2744 2748 DesktopLayer.exe 33 PID 2748 wrote to memory of 2744 2748 DesktopLayer.exe 33 PID 2748 wrote to memory of 2744 2748 DesktopLayer.exe 33 PID 2744 wrote to memory of 2708 2744 iexplore.exe 34 PID 2744 wrote to memory of 2708 2744 iexplore.exe 34 PID 2744 wrote to memory of 2708 2744 iexplore.exe 34 PID 2744 wrote to memory of 2708 2744 iexplore.exe 34 PID 3068 wrote to memory of 1588 3068 VZRKxm.exe 39 PID 3068 wrote to memory of 1588 3068 VZRKxm.exe 39 PID 3068 wrote to memory of 1588 3068 VZRKxm.exe 39 PID 3068 wrote to memory of 1588 3068 VZRKxm.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exeC:\Users\Admin\AppData\Local\Temp\VZRKxm.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\163f574d.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exeC:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2a552b2da83ad1b7adbe190c874aead
SHA1a218d5123be57c06c232d7e86140614efcc578fd
SHA256b96b515183f0c6232d50e06ede43acc3cfccc954a8a3a3a6f4845f59196f34f6
SHA5125a91f1b48b91e52755a7992d9c709865de008be7d05fe5b82b1e60381f86ddcd217da5b4e83874969cfe46540000938cfe43c488fcc930d0fdb298f4227a0df6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535778852d0cc4b0aac908eba7a19357c
SHA1459804bedab382feb22fba889ac1afdc7dacff08
SHA25666a27dfddaeed55ae147c0cc478a0f32c19ee48b53b225fac529d4f66a77bf4f
SHA512f42c783445d9c67da96108d91a67c91e8b3578abccddd4d0871025ab3f9209350f4414b322135497359d36d5e1154e3521db1007ca25887ff341134e983037fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5187692f812e624fa58707dc7d28365b3
SHA1374cfc276e3103ea4b3bb7728793414b0b6f7d6d
SHA25686c29c154be41abca52565f8cacfd13b2d4222afb47c01e14db3b8583f18c401
SHA51233e94060775a9dc64232982ec3830792547389fab60b82caaafe20ddb812489c00e42a1bd8ad8a2e25e745409ff97ef9da79f657eadf61f4574f3dd110bf4482
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5434046b4dde3ed4458bd49829de0bf81
SHA16a22fbf59067e292c73dce99e31a92a1ad18f19e
SHA2565d956e989d5b153cf37051ee8b7b3f6cf9f3b79911407f1bbc10ee4892fcb2e9
SHA512695ba45ed3f8d85aae9143a63d554fc9fe223603b61b0a05e642fdad2f0ca116416ef27a77877b300501c4329b4a5063311b730908a08d94cc8fd8d2ae7280b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afbd71ed32c2dcce088f6c98ca795660
SHA1a4338e56b531118bad34c729a4698485fd062a36
SHA2560a37fe83f31e4aadbc6f68b8316d11b21370195e5901234a17ca800effc30ca2
SHA5120c65abe379239cf3177781caffa3ac6cc532901bbcd4114be33a52e40d7c5b80a6d03e55daeafdf7b25959f9c981eddbccf37f8b66b00159e04146d3cf2e2de8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54846420286048e83badf412d102f19a7
SHA176e29eaa65db0015d1399cf698cfc286c89441c7
SHA256336a23e5764ab6dae3d33ec59ac5418f30df4618e2dbf27c8614f6acd91d3830
SHA512c95042b44aeae51a463d0b229ee10030e45284569cafdce5a2446ed290f7a65128e0b0a0b0993fea5859be0b9de8aa03e77c580febabc9ed6449019c0ff09bba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d00186e6a59ee68031618c894b85567e
SHA15ae20041f7eb43737b07d5eb75cbde12fd0fad9f
SHA2563cc538bd2b7a732b775b7233ae5f7b12bdfd1fa9817ed53f7bd8195eb2c867ec
SHA512f7cbde57363efe44f6f7307973ddb9bc170c22f085d5aeb98628d692d888662faff8bbd6284356c38244171782998631b66e58caf6f9cdcc97f8bc27422851c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c285f73be560814d0a91b921138cf24a
SHA10ee3fa00d657eb13ce47383e191cfa1cf8771667
SHA256a9855a2af4bda4b96a7e34b79c4c8f4b83ce018e829f894054969d45da27276b
SHA5125a5c5d49227230945ab436b6c4de8d61a11fd3e8994ac4ecfe0fdea428080cbb7181a318fd9e35da89e5b5018398eb1ad19536dbae7a73a8e65a5cc00a90103b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cae82b3e9d5d596af6c8f397e85a3385
SHA1b9498adfa9c0f9f9576f3cee91bba9d0560b577d
SHA2560f95acf13937ad0f99b67c99657918acd00ab16e223f87521cd408dffad196e9
SHA512cba60b8fdf937440f6fd9e1b09293cc04674209f844dea62fe4411610dc85f1e4b87385d1eb4c7eabfae43755625e7afaa1732e0c97d0c730565cc9eb7e5413d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc40cdead2441b3f4f8188e16fd017bb
SHA1d7d5f03c765a1a1f130e42bc56ee8a6462d602d5
SHA25650139d95c9bca32aadb5a0297016fe149388a7c51ab7a9667899fba62b139078
SHA512154ae482ee30b7350365660d82f77871462fd9e8859a314ec902e1166e14cd7adf90e51fda57d3802684f17089d1fe490b5b2be52677116b7d3d3293982ff317
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5084ff0feb5110b91c13f7cbec3e61521
SHA173d8d58e5e7f0409256f926a5c9fb53609e5cffa
SHA2561a82962de5426f5c478760c0ec0a6dc87f25cb1b5472fb611986af138129c18f
SHA512bd48fb9f3a2411b99d167951e79042610c921da8e6ae3823cd3dc7a24608ea7f3eafd60fd7e5d51ba2ad73c0e8362193a5a4bdfd08fc8dade45e516247cf5b6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e91fff9daf5418168b59af4245d207c
SHA1a1009d242c03260757b35dbe437a1e1d46e57676
SHA2562b376db83372f918f4655a15f55968edfbdf6809c19d78f535a785cdd6e1c959
SHA51258023fe72e453adf44c2f408449f2a08677903a5d3b8fcd5ad8b66cd1d4263e9564540bdfacda30b65e3354e65f590b29ceca970dd7434db18b2612c231e7d0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e72a7a17f7fada90a1f249b8d36d75d7
SHA1440f5fea27d6d782f97565136e34e907b0b0c954
SHA256e23fb845220192f0d0ae2c4d174505ab5e96f8f53650909b27abb235d3ff958c
SHA512af71077ed4f088113e7679f5a6d35c5f8556554a3e2e467493bde9f2ece2754e42419d52d3ddefaadfc262ce4b71768004d56c41c7c44234dfaf957243e6d70b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dec337d2e86719635c51a57be333ee41
SHA194b619ed2cd3d44a442283b8dc3d88d53bb8b5ca
SHA2568752e729def755f4baec365a11b775b107a585c6d8bbbfa7dcdb36661d384334
SHA512066aadf3142779a6a54c41ae381e8de6fa9bd1308d3889a2fdc219274458cca207e39f71fcc461b33ab5fdcb406ee9310b52ba7cad7746ec4c7dded1e646b4e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD534d3c0b0ceee94ebab27d86f824f756f
SHA143e9c9e383db9731867a1b094b686a675a30169c
SHA256aeb4c76970c204ae06c37a1b6d3b622a614b5a542ec01be67222a8cffecb00ac
SHA512c4e064b4963f011ed0e1d4e03dd5be947d05678d904be257ddc4bf6d78db8303efbf1058cc0c41d09260ba4e1f050df48dfe5e9fd2eb94f6ebb8f4bfdd7a8d12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5938e7ed3b0c70ab1c3c61cf8907267e4
SHA174d563a72583d7569aaf8610c485cc31cb2b882c
SHA256d8146e5cdffe443aa216ce5091d0302141aa9c00770af7320eb284ce5cc012e5
SHA5120b37ee0f71c22a8642494ab181a6d392e869099d3631aa0b3ea28f529de9f731722aba4c1236a173ba2473ad8d474d63ec73dbab7c7dff1e19d745ed7007f5a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5601d2023bc6f310b4a0331657bbe847c
SHA105e13adb043c7b8d3856355abb7a4e0e752fcab6
SHA2561f2dbfc4f1131b82d4a40b3b879eec0b19f4ddfb075ea989dfa81aa8d774027a
SHA51240269347cc70f585535df86ee0633c0b05240efea42dc23b24ab5a914cc14262e2f163011bff84b6ba139943ca2e268ffd5f7c8cd2d56f3d9aed67981e666f29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b649bfca19ac97b64e46d0c7ca93f619
SHA16bfaab95b0d92ac14294a74526bfa5f97b4a8c4e
SHA2560312119a87943addd5ef7ad517cf18286204349f0aafecc677a1611bc3c606ca
SHA512edee0c4dbc40d40cdf89a64db5e3312837ba25bcddef44001c143e5cd6fcd4345dc604d358b35be509f3f46fafd5110f70ef111550cac79606de0896ac66af99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56311306b1253af3a2fe105739209091f
SHA1de758903426504b17824e9b4f6829cb92f2cfb91
SHA256d581b93f895d567be7d07578f117555d914fedce307f37fdea5a65e61dc1222b
SHA512be8f418cb45b46dfa6739e2cf7e0a5de0156f33e32789f1d52932282555010cc3005cfdf3f21cce6f4063f814d526b3f6de7547b3e2d5990475723b810fc59e2
-
Filesize
187B
MD5bd2f7eda4c8f93a619383f775cb7e923
SHA19a644114111404f6292940b73c8335a8ddc56ade
SHA256c24299f8630bbf43ea6d5ecf9b5753d4932865489e79fe8a839481e27b476f1a
SHA5122e5c0093f854dc242adc00ffe8e7c4b4d5cd34f10963a529492151b691a08868ebc426115ffe6c30b382b5b52e8d020ccce1c1f5e85ae5977d542ee93a47a8c9
-
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
Filesize55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e