Analysis Overview
SHA256
7c84c1045054b6894b2e12c602a257e1a48610f875cb0e59f12af35bdca9eb03
Threat Level: Known bad
The file 2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi was found to be: Known bad.
Malicious Activity Summary
Detects Bdaejec Backdoor.
Bdaejec
Ramnit family
Ramnit
Bdaejec family
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
UPX packed file
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-04 23:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 23:24
Reported
2024-12-04 23:26
Platform
win7-20240903-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Bdaejec
Bdaejec family
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ramnit
Ramnit family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MSASCui.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\Hearts.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\PDIALOG.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\Chess.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\misc.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpCmdRun.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439516528" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E43C43C1-B296-11EF-B38B-EAF82BEC9AF0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe"
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\163f574d.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
Files
memory/3004-0-0x0000000000400000-0x0000000000422000-memory.dmp
\Users\Admin\AppData\Local\Temp\VZRKxm.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/3004-4-0x0000000000230000-0x0000000000239000-memory.dmp
memory/3068-11-0x0000000000A00000-0x0000000000A09000-memory.dmp
memory/3004-9-0x0000000000230000-0x0000000000239000-memory.dmp
memory/2748-34-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2748-33-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2748-35-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2748-37-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2452-23-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2452-22-0x0000000000230000-0x000000000023F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2452-20-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3004-18-0x0000000000230000-0x000000000025E000-memory.dmp
memory/3004-32-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2748-30-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2452-28-0x0000000000260000-0x000000000028E000-memory.dmp
memory/3004-40-0x0000000000230000-0x000000000025E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCA25.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCA86.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 601d2023bc6f310b4a0331657bbe847c |
| SHA1 | 05e13adb043c7b8d3856355abb7a4e0e752fcab6 |
| SHA256 | 1f2dbfc4f1131b82d4a40b3b879eec0b19f4ddfb075ea989dfa81aa8d774027a |
| SHA512 | 40269347cc70f585535df86ee0633c0b05240efea42dc23b24ab5a914cc14262e2f163011bff84b6ba139943ca2e268ffd5f7c8cd2d56f3d9aed67981e666f29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2a552b2da83ad1b7adbe190c874aead |
| SHA1 | a218d5123be57c06c232d7e86140614efcc578fd |
| SHA256 | b96b515183f0c6232d50e06ede43acc3cfccc954a8a3a3a6f4845f59196f34f6 |
| SHA512 | 5a91f1b48b91e52755a7992d9c709865de008be7d05fe5b82b1e60381f86ddcd217da5b4e83874969cfe46540000938cfe43c488fcc930d0fdb298f4227a0df6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35778852d0cc4b0aac908eba7a19357c |
| SHA1 | 459804bedab382feb22fba889ac1afdc7dacff08 |
| SHA256 | 66a27dfddaeed55ae147c0cc478a0f32c19ee48b53b225fac529d4f66a77bf4f |
| SHA512 | f42c783445d9c67da96108d91a67c91e8b3578abccddd4d0871025ab3f9209350f4414b322135497359d36d5e1154e3521db1007ca25887ff341134e983037fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 187692f812e624fa58707dc7d28365b3 |
| SHA1 | 374cfc276e3103ea4b3bb7728793414b0b6f7d6d |
| SHA256 | 86c29c154be41abca52565f8cacfd13b2d4222afb47c01e14db3b8583f18c401 |
| SHA512 | 33e94060775a9dc64232982ec3830792547389fab60b82caaafe20ddb812489c00e42a1bd8ad8a2e25e745409ff97ef9da79f657eadf61f4574f3dd110bf4482 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 434046b4dde3ed4458bd49829de0bf81 |
| SHA1 | 6a22fbf59067e292c73dce99e31a92a1ad18f19e |
| SHA256 | 5d956e989d5b153cf37051ee8b7b3f6cf9f3b79911407f1bbc10ee4892fcb2e9 |
| SHA512 | 695ba45ed3f8d85aae9143a63d554fc9fe223603b61b0a05e642fdad2f0ca116416ef27a77877b300501c4329b4a5063311b730908a08d94cc8fd8d2ae7280b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afbd71ed32c2dcce088f6c98ca795660 |
| SHA1 | a4338e56b531118bad34c729a4698485fd062a36 |
| SHA256 | 0a37fe83f31e4aadbc6f68b8316d11b21370195e5901234a17ca800effc30ca2 |
| SHA512 | 0c65abe379239cf3177781caffa3ac6cc532901bbcd4114be33a52e40d7c5b80a6d03e55daeafdf7b25959f9c981eddbccf37f8b66b00159e04146d3cf2e2de8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4846420286048e83badf412d102f19a7 |
| SHA1 | 76e29eaa65db0015d1399cf698cfc286c89441c7 |
| SHA256 | 336a23e5764ab6dae3d33ec59ac5418f30df4618e2dbf27c8614f6acd91d3830 |
| SHA512 | c95042b44aeae51a463d0b229ee10030e45284569cafdce5a2446ed290f7a65128e0b0a0b0993fea5859be0b9de8aa03e77c580febabc9ed6449019c0ff09bba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d00186e6a59ee68031618c894b85567e |
| SHA1 | 5ae20041f7eb43737b07d5eb75cbde12fd0fad9f |
| SHA256 | 3cc538bd2b7a732b775b7233ae5f7b12bdfd1fa9817ed53f7bd8195eb2c867ec |
| SHA512 | f7cbde57363efe44f6f7307973ddb9bc170c22f085d5aeb98628d692d888662faff8bbd6284356c38244171782998631b66e58caf6f9cdcc97f8bc27422851c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c285f73be560814d0a91b921138cf24a |
| SHA1 | 0ee3fa00d657eb13ce47383e191cfa1cf8771667 |
| SHA256 | a9855a2af4bda4b96a7e34b79c4c8f4b83ce018e829f894054969d45da27276b |
| SHA512 | 5a5c5d49227230945ab436b6c4de8d61a11fd3e8994ac4ecfe0fdea428080cbb7181a318fd9e35da89e5b5018398eb1ad19536dbae7a73a8e65a5cc00a90103b |
memory/3068-469-0x0000000000A00000-0x0000000000A09000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cae82b3e9d5d596af6c8f397e85a3385 |
| SHA1 | b9498adfa9c0f9f9576f3cee91bba9d0560b577d |
| SHA256 | 0f95acf13937ad0f99b67c99657918acd00ab16e223f87521cd408dffad196e9 |
| SHA512 | cba60b8fdf937440f6fd9e1b09293cc04674209f844dea62fe4411610dc85f1e4b87385d1eb4c7eabfae43755625e7afaa1732e0c97d0c730565cc9eb7e5413d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc40cdead2441b3f4f8188e16fd017bb |
| SHA1 | d7d5f03c765a1a1f130e42bc56ee8a6462d602d5 |
| SHA256 | 50139d95c9bca32aadb5a0297016fe149388a7c51ab7a9667899fba62b139078 |
| SHA512 | 154ae482ee30b7350365660d82f77871462fd9e8859a314ec902e1166e14cd7adf90e51fda57d3802684f17089d1fe490b5b2be52677116b7d3d3293982ff317 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 084ff0feb5110b91c13f7cbec3e61521 |
| SHA1 | 73d8d58e5e7f0409256f926a5c9fb53609e5cffa |
| SHA256 | 1a82962de5426f5c478760c0ec0a6dc87f25cb1b5472fb611986af138129c18f |
| SHA512 | bd48fb9f3a2411b99d167951e79042610c921da8e6ae3823cd3dc7a24608ea7f3eafd60fd7e5d51ba2ad73c0e8362193a5a4bdfd08fc8dade45e516247cf5b6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e91fff9daf5418168b59af4245d207c |
| SHA1 | a1009d242c03260757b35dbe437a1e1d46e57676 |
| SHA256 | 2b376db83372f918f4655a15f55968edfbdf6809c19d78f535a785cdd6e1c959 |
| SHA512 | 58023fe72e453adf44c2f408449f2a08677903a5d3b8fcd5ad8b66cd1d4263e9564540bdfacda30b65e3354e65f590b29ceca970dd7434db18b2612c231e7d0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e72a7a17f7fada90a1f249b8d36d75d7 |
| SHA1 | 440f5fea27d6d782f97565136e34e907b0b0c954 |
| SHA256 | e23fb845220192f0d0ae2c4d174505ab5e96f8f53650909b27abb235d3ff958c |
| SHA512 | af71077ed4f088113e7679f5a6d35c5f8556554a3e2e467493bde9f2ece2754e42419d52d3ddefaadfc262ce4b71768004d56c41c7c44234dfaf957243e6d70b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dec337d2e86719635c51a57be333ee41 |
| SHA1 | 94b619ed2cd3d44a442283b8dc3d88d53bb8b5ca |
| SHA256 | 8752e729def755f4baec365a11b775b107a585c6d8bbbfa7dcdb36661d384334 |
| SHA512 | 066aadf3142779a6a54c41ae381e8de6fa9bd1308d3889a2fdc219274458cca207e39f71fcc461b33ab5fdcb406ee9310b52ba7cad7746ec4c7dded1e646b4e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34d3c0b0ceee94ebab27d86f824f756f |
| SHA1 | 43e9c9e383db9731867a1b094b686a675a30169c |
| SHA256 | aeb4c76970c204ae06c37a1b6d3b622a614b5a542ec01be67222a8cffecb00ac |
| SHA512 | c4e064b4963f011ed0e1d4e03dd5be947d05678d904be257ddc4bf6d78db8303efbf1058cc0c41d09260ba4e1f050df48dfe5e9fd2eb94f6ebb8f4bfdd7a8d12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 938e7ed3b0c70ab1c3c61cf8907267e4 |
| SHA1 | 74d563a72583d7569aaf8610c485cc31cb2b882c |
| SHA256 | d8146e5cdffe443aa216ce5091d0302141aa9c00770af7320eb284ce5cc012e5 |
| SHA512 | 0b37ee0f71c22a8642494ab181a6d392e869099d3631aa0b3ea28f529de9f731722aba4c1236a173ba2473ad8d474d63ec73dbab7c7dff1e19d745ed7007f5a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b649bfca19ac97b64e46d0c7ca93f619 |
| SHA1 | 6bfaab95b0d92ac14294a74526bfa5f97b4a8c4e |
| SHA256 | 0312119a87943addd5ef7ad517cf18286204349f0aafecc677a1611bc3c606ca |
| SHA512 | edee0c4dbc40d40cdf89a64db5e3312837ba25bcddef44001c143e5cd6fcd4345dc604d358b35be509f3f46fafd5110f70ef111550cac79606de0896ac66af99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6311306b1253af3a2fe105739209091f |
| SHA1 | de758903426504b17824e9b4f6829cb92f2cfb91 |
| SHA256 | d581b93f895d567be7d07578f117555d914fedce307f37fdea5a65e61dc1222b |
| SHA512 | be8f418cb45b46dfa6739e2cf7e0a5de0156f33e32789f1d52932282555010cc3005cfdf3f21cce6f4063f814d526b3f6de7547b3e2d5990475723b810fc59e2 |
memory/3004-908-0x0000000000230000-0x0000000000239000-memory.dmp
memory/3004-909-0x0000000000230000-0x0000000000239000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\163f574d.bat
| MD5 | bd2f7eda4c8f93a619383f775cb7e923 |
| SHA1 | 9a644114111404f6292940b73c8335a8ddc56ade |
| SHA256 | c24299f8630bbf43ea6d5ecf9b5753d4932865489e79fe8a839481e27b476f1a |
| SHA512 | 2e5c0093f854dc242adc00ffe8e7c4b4d5cd34f10963a529492151b691a08868ebc426115ffe6c30b382b5b52e8d020ccce1c1f5e85ae5977d542ee93a47a8c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 23:24
Reported
2024-12-04 23:26
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
144s
Command Line
Signatures
Bdaejec
Bdaejec family
Detects Bdaejec Backdoor.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ramnit
Ramnit family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440119637" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147683" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3113850009" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147683" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3109787388" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3109787388" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147683" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E4F6D164-B296-11EF-A7EA-FA89EA07D49F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomi.exe"
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3708 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7be31dea.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1888-0-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VZRKxm.exe
| MD5 | 56b2c3810dba2e939a8bb9fa36d3cf96 |
| SHA1 | 99ee31cd4b0d6a4b62779da36e0eeecdd80589fc |
| SHA256 | 4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07 |
| SHA512 | 27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e |
memory/4592-4-0x0000000000B50000-0x0000000000B59000-memory.dmp
memory/2236-10-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2024-12-04_58106e9c40b89aa095fd22658ffa6e8d_ramnit_smoke-loader_wapomiSrv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2236-12-0x0000000000480000-0x000000000048F000-memory.dmp
memory/2236-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/628-19-0x0000000000560000-0x0000000000561000-memory.dmp
memory/628-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1888-22-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4592-23-0x0000000000B50000-0x0000000000B59000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 1febcd32ec103d1677cea2e73245ffa6 |
| SHA1 | fc35cc168291c490a78416705e90cefde5627fb2 |
| SHA256 | 5bdad5ebecb1cd1683243aae582b801c2d63dd9d18ad434c006fdf294e83ff38 |
| SHA512 | 24ae00db57547a7de9623cd557b9cff5ac42295965ad201163bc13eb39e6077f31cee2ace6986b355dd7788396c11e95b961390add8f587b7e57ca10a2c213bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | f3fcc5a80355f7608c676aec4e906f24 |
| SHA1 | a99c3715f3daa60199e38e1ab179d839a43ac370 |
| SHA256 | 7a87b6d1af23c95c1caae2e8ba987304ee97b8c5cd98f715935b058288458664 |
| SHA512 | 2c5ef30f0522b1fac05e077a1dcbdbb6cc447cf92bf1cafb28a45985ca8a98f5d5184a9ef7f01df228fc9c9016adc43a0a98f708e6774fdd342d109a1fd54f6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Temp\7be31dea.bat
| MD5 | a4a9c1241139cdb992308dd24061562e |
| SHA1 | e5bad1ed7b30c996868eed4168d684655e168f60 |
| SHA256 | 8e5f818ea1373957d5e67af6c6b9651392dedc59f38838c235b74c2375f5b566 |
| SHA512 | c47d749103a17eb0256507291839e82ecd5958ca9fd7de7f7dd34923897914bd63b6dceaee99d7a0353b88c7479d5dce03876373c0da356f725d83921a726ced |