ramnit | c512a9bf3578b8b1b96b2881d9839eb8df824979b157f60a4536eee2d9905b55

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
Size

1.8MB
MD5

bd792c0026b4a18d82def3924e6f6299
SHA1

c3cffdd2a621b08b66b329d9cb19b3ac62a7ce97
SHA256

c512a9bf3578b8b1b96b2881d9839eb8df824979b157f60a4536eee2d9905b55
SHA512

9f7a407d7b6a30ccb905430a1c116ae25989ff6509938c694d3efd946f1da1880a4cd3d02d58859d6d354068150e97331a2da33ca7b74edc60bbca91ac9badb1
SSDEEP

49152:PPSdG9Ws3y5F1p0xrxOlU9E+mwqnaOW1PEWxKih0EtUKOMifzKJofjvy7mpmm9m:HSuWs3y5zp0xrMU9EmqnaOW1PEWxKOfI

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
2336	DesktopLayer.exe
2724	DesktopLayerSrv.exe

Loads dropped DLL 4 IoCs

pid	Process
2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
2336	DesktopLayer.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012117-5.dat	upx
behavioral1/memory/2536-8-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x0007000000016d5e-28.dat	upx
behavioral1/memory/2536-14-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2336-26-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1180-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2724-49-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2336-39-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1180-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1180-44-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2724-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px89C9.tmp	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px89D8.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px895B.tmp	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442637769"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18D6A241-CEFA-11EF-8BB8-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18D1DF81-CEFA-11EF-8BB8-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18E027C1-CEFA-11EF-8BB8-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442637771"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
2336	DesktopLayer.exe
2336	DesktopLayer.exe
2336	DesktopLayer.exe
2336	DesktopLayer.exe
1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
2724	DesktopLayerSrv.exe
2724	DesktopLayerSrv.exe
2724	DesktopLayerSrv.exe
2724	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2996	iexplore.exe
3004	iexplore.exe
2752	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
2996	iexplore.exe
2996	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
2752	iexplore.exe
2752	iexplore.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2536	2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe	30
PID 2528 wrote to memory of 2536	2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe	30
PID 2528 wrote to memory of 2536	2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe	30
PID 2528 wrote to memory of 2536	2528	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe	30
PID 2536 wrote to memory of 1180	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	31
PID 2536 wrote to memory of 1180	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	31
PID 2536 wrote to memory of 1180	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	31
PID 2536 wrote to memory of 1180	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	31
PID 2536 wrote to memory of 2336	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	32
PID 2536 wrote to memory of 2336	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	32
PID 2536 wrote to memory of 2336	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	32
PID 2536 wrote to memory of 2336	2536	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe	32
PID 2336 wrote to memory of 2724	2336	DesktopLayer.exe	33
PID 2336 wrote to memory of 2724	2336	DesktopLayer.exe	33
PID 2336 wrote to memory of 2724	2336	DesktopLayer.exe	33
PID 2336 wrote to memory of 2724	2336	DesktopLayer.exe	33
PID 2336 wrote to memory of 3004	2336	DesktopLayer.exe	34
PID 2336 wrote to memory of 3004	2336	DesktopLayer.exe	34
PID 2336 wrote to memory of 3004	2336	DesktopLayer.exe	34
PID 2336 wrote to memory of 3004	2336	DesktopLayer.exe	34
PID 1180 wrote to memory of 2752	1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe	35
PID 1180 wrote to memory of 2752	1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe	35
PID 1180 wrote to memory of 2752	1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe	35
PID 1180 wrote to memory of 2752	1180	2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe	35
PID 2724 wrote to memory of 2996	2724	DesktopLayerSrv.exe	36
PID 2724 wrote to memory of 2996	2724	DesktopLayerSrv.exe	36
PID 2724 wrote to memory of 2996	2724	DesktopLayerSrv.exe	36
PID 2724 wrote to memory of 2996	2724	DesktopLayerSrv.exe	36
PID 2996 wrote to memory of 2676	2996	iexplore.exe	37
PID 2996 wrote to memory of 2676	2996	iexplore.exe	37
PID 2996 wrote to memory of 2676	2996	iexplore.exe	37
PID 2996 wrote to memory of 2676	2996	iexplore.exe	37
PID 3004 wrote to memory of 1932	3004	iexplore.exe	38
PID 3004 wrote to memory of 1932	3004	iexplore.exe	38
PID 3004 wrote to memory of 1932	3004	iexplore.exe	38
PID 3004 wrote to memory of 1932	3004	iexplore.exe	38
PID 2752 wrote to memory of 2012	2752	iexplore.exe	39
PID 2752 wrote to memory of 2012	2752	iexplore.exe	39
PID 2752 wrote to memory of 2012	2752	iexplore.exe	39
PID 2752 wrote to memory of 2012	2752	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2676
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3f0e909aecbde9de4f98a4c9ddebb94

SHA1
a71f4e474d7424eada3ecd6d27e7ef6ab73af492

SHA256
45fdf507ba34a29db75d415cffe3dc2d6b55b2c8f40736a13113770c24e54254

SHA512
f38b347911b4a9cc74d00f244be3ef873a06eee2372132b68aeea4e4b585d063707e63f89cefd39a5d59a9bf4aa3f063adb9240cfcd8e6aa52da1d868f995e3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a065963801c8153b63789c4d795fedec

SHA1
4b641d8db6f9d3d9ca81783602209e1d2518f73f

SHA256
0bb2a1ab270c67eeab68aef2160f4d28fdb7af39e45e4878c9cce9756099d10f

SHA512
70691e8144fe6c6e8860edbdc59d03312ff9a694ab6efdfcd8ebbf6ddcd1065f1996273abee2d63ae645a901045969060f48b26663b11f611a3f97398cf4bf5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12124cfb4c041fcbc91b1a869bfe5aa9

SHA1
897cfe5db1ad01acb1da1984022a5ceec9f4d130

SHA256
c5f8c2133f9b92b26353f6d8712aaea0881bd0663c3554176b0d9ab8a9657ffb

SHA512
34ff744869d8532ebfcc689ae51212cea567a2e64f57524f3acec7f9d86aab0e2bdcf13a5f25c0ecf36a8cda2d8b03701bb8e931187a002353aa1ff393978301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9d42355c8112d0fb6e59823b544886e

SHA1
05650a69b927048768bdd548ea2595448478105c

SHA256
d5a2d2b121890d3d7ef34cba3a991308f674b5e5316c7fdb1bdf6f65d711bb22

SHA512
dfbad6e8edcff958f4d382e60fe82afd59102533ceec60ffa6d5d9d87dfa6873e5c6908cceb48f9074f54c0d2d54675b06ff9f2930ecb799be0fc4570beef4af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7d45e103402578a3a4b13e33c05e205

SHA1
1bde75441be8b1a0fa3506e71367be611658de99

SHA256
d22141af5968364775a74438bf9550f5ad851a2a9031a0e88fc31a73a5d4582f

SHA512
b991f2eb8d2966321fd6d22a7d642b9c42746c7af28928207abc74b93f06ddf52bfb72fad8b3a4f3c613d8d227eca2e2cdba11bd6e877d4b2903ff528ec64e39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02c30fa4824aac33db4acef58a3e97d9

SHA1
1ba1a01a9f574059befb796904e0c8d01d5a79c7

SHA256
95886181840ca702edb781789347a22f8a300b7da86a9da4d9bc284807acd39c

SHA512
f103ad1cf40b9275dc955c22fc3dbfe2ebf1c005b1babb3bc68ccc03b211c2626891c525738c2e347cc2f2a6ef867c353a0463cbfcb1cd49037d90669f45188d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da6098d3adef44823f9816b7ea95e629

SHA1
1577f0cc2a1ef69dbb7696df5d40c9cb0ea7e7cb

SHA256
1980f969afbd74c6aac603cde15bb6b6dc6a4980c1b2ce7be0e14aa009dbe399

SHA512
cf645bb1a1538db6a4f554f1852b7d55b929ad197722204064a2e6da7c22b6a781cc87de765d8dea6b69308926614e5223943a4aa1852fb54d2a9e258407857c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c7c6ab72b516e9330533c0dbfd748b5

SHA1
7d69d166ab06d1d57159a4a66d82db4e78d073c3

SHA256
5a3a67dda7ebace31239f5c438e127f9440a93ddcfa8e4058bb2b673150ee064

SHA512
d887778f474c8bf178e73e64128aa1d3e7be80ca335fe5e910723b76c8b70d2818be7fabe7f4ebe7f27b96e63af492a42e2caa750b713d9603569d6de0d0d21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a72347b69ecef984d128ac46dada02a

SHA1
fc101708b33b2e70973365242d30ac5e1c0a9d5a

SHA256
6bd06ea50685a24ab1bd0228f22c42fc424d6419627dc86bb789dae655a067a7

SHA512
530069a3c4980af8a444dbfc74ccda3c36ec968140682fdd8331715436ac19aa720c092cbc7cb6e633a1139f71928f20beece84c76c6602e1749c087abdc0314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a28d5c31b0bbfa770eb814088614e104

SHA1
d912365e1b1ca93f1ef4b943a6c5920c9538e8fb

SHA256
31c25b77847f931b1e3caf79ccaa07a8cded6a0c5c1fc9225a7bdc8300d7417c

SHA512
b080161a42ae48051da96bccf9e5eddaf25d0a5c257026d5178d1e905373a553b8c23493992aef32ae4953a8aac6e40c4bf28a8f73d1dbd6bf9b9a4a58fa2aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea2fc0ba728cf31bcf895e2a14c1aa30

SHA1
56d34cc116ced11d85939da16f336c705f0cdf6c

SHA256
e6af021b636c3ac2e474436bb68f05d527618d6aaf8eff87aa208d32624fbae6

SHA512
91a1d393215da0040df4aeb163a992cb430ed1772f69e44ef0dfaba6fc6e6311072108bca6bdaf45d77f82ddcf2f95245eb3ccde8f68445a8541e705ad01b769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d0b4b30f4cd64c40864bcba5f591952

SHA1
27ed249e1d56de268f001f9988087e6920db7b7b

SHA256
3dd8812f67f682b151968c02d7cda2660897561bcf71644dd8f60512e0d71a13

SHA512
26f982c1af2dd05e4b74eeab57c95d76d1653e066e693e3c39b4ba198a1f3b826a729fbb7b8258a770bdffc0b7ce79aaec12f77f0cabbe08d95ec87c01f20068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c74aa6706be9d69d260bb2e45f0217a8

SHA1
346e923aa29b19a9755638874a607cfc509dbd2b

SHA256
fce84ff7803a1aa72d4c58a38106c113b1711f61c573f3feccf5a50909ec926d

SHA512
80a643dbdbebba7335e7b9652bdc03d9ad170faaf8503334ff7bb8668ba4af5b3ea01f71b244ee5949ea42fbd4c8702863cc2f68c48085af8ebfa86dd32b446f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2385494d1a707a97d3dec7cc936fe7c4

SHA1
62adc966d3f101b70f430c1cff58600f9c45a5a3

SHA256
4c4d3e41a8b6c0914818447a6dd8c6e5034c8904d77002040084cba9a3335d47

SHA512
8ad9216440ce6bcc408147d5e4980d2cab0ea27a863d0e59cc33a243c22d870ab8ceef4967219d8d64d76392a819293069d16b4dc336a2ec81dae856c6956876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f84c9acab4969dcea3dc563599f49fe7

SHA1
612a69c64d08112ccca505adf1e84131fca8acf3

SHA256
15f6f5ca9513d69f87cb593741ad63abfa85476bca1ca19fd54dab5c3ce35675

SHA512
7b8cd6335238b48b68a2240aa89799d2b2761335df9118c60f372b9be7c16a6e40e00d57df19e0f18b71366d7477db0b11b9c8994291fca7e56d8ec28a104740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d81d1ca6f4b0e6edba4dd7d5efacdeb2

SHA1
eec72c8d996fa3316c31c1e962f743eaf56a54aa

SHA256
81943aae08bef51bf8df0c3c62720e4b22c9012a5b284090e5618f098adc11bf

SHA512
ea37fafacdc42cd196d0d84985c09381ea6fb70790260c8f53bb55dd075e29d88973e9f33593bc74076586c461e0ed1c9c1ebf2930baa085cf3ec56a7ad05e4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
821b924f873347b9408a912e60412ee6

SHA1
646c514774a95ca766f94dbfdddc3277838d1cfa

SHA256
37f1e91ddad69b1145072b80b3061598be683bb6f62f3f442448f91438b3219a

SHA512
ee252b053e28cbf3dcf3750e2913366c38404ffb72e878855b35076e60c7a8d9639134f7a39d949f03a8f67813bb609af6b055be92963fb50a383220868bd7dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bfa673c899dd98f18e4f8138fe64098

SHA1
7d8985f03dba295033540d107a394aa4cfa9faa1

SHA256
41dfd329f3e3b3921ddd07ffbd8235cd6fecd872f4fe94c460995dbfa3499cab

SHA512
752ea4a5f335e22ca5c85e8b552347b2632bf4898588a63f965716ef03e3f9a0c71ec8b88b7e7f33710933749e2edb45d1d27bce2198175f0f45e2d768807302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e80e3688df380b8a8c2ae9f5719fe9

SHA1
a2bae2dd2c9cb45b3be84e3bfedab95d566a9c21

SHA256
48c1b4cc01e3785b7b2202e79866c44a5b24be43664730ddf0d30daeef7e2139

SHA512
349452b1f2789b2a57da323b2525be756972281ec44f52875a78035bad7359a82ca0b030ec8785b2c552b31a7e690a861cb012a51038766e14c29a8b18b447b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f751c354f7a85a9e562f734dca1fd36

SHA1
765b206dec076a2cc358e0d2ec0202269c5448aa

SHA256
68ae75b9bb0ab1c49fab8924fe50591ea92dd5678a75a1fc70c17e49a5194dd0

SHA512
d30930382a94e89dde1a20d76d5615389a46b494c9cfcec2707ce8c79d4cb28c50774a4a80bc1759a98a0c1c98067bc68a2529ebc6ae07a98d03b0372fccdc73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ee1f87d555903356372b7e80636faf

SHA1
651fff6913a05fee2edef6426d23b57929745a70

SHA256
e3a8465222b40ba26717855f32c63891ea7cec35617d7606a22a1e998d047d26

SHA512
edc8ecdd23362006b5937345fec8fdc52bd3c051c13be147468bc64cc9c31da9172ec2d32f8e5e1e7120848f35cd7df51d636e5665daf33f42a32da49dd1b3c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddcdfc6536edcb66332a5269fc596a48

SHA1
438320c0aea410fc9dbbf0fce0b631fb132c458e

SHA256
7f6e809bb1d81903162535cd92058667f8a4b2f559cbfd8459102ada2a5ef668

SHA512
3b1f48f1a87461ea05254ebba8945eb2c22f29ecbdaf1e9926e1342cc37aef2a03ca61ef9c13cbe6a90cb897bcf6f6aae1f2d82c83669ef3c32aacfc59a38dc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6001ca28919e7893fc14e0d0e00358a8

SHA1
4f8421d2a008ee592f6af4a8d9c4680e0c550bd1

SHA256
56797c1706d9708380aecb8675fc5a67965e0e4ab554b35683dcd442452b281b

SHA512
337b859eeef2f2676783f184f5c4ee6e9f2c963b14365e65d041de3a941aca646d86f024003e80d4d75899a6f4347406ea6ac48fbbd396bf379fc3d60dd3da19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1548a86091a82ad615c0b1d7bf580c8

SHA1
d829d8b6529ff9c6f815144611a71328e215c57f

SHA256
1c2385049cd797f72888d70d3d6191cab23335ab49b48dd90ccd63032ab66a7a

SHA512
ce79621aa47f17404f8f13ecc684712ca3601bf5a97cae877fd4e1ca7578b660e72c75eeb09a158e19a6fc03605347c998c1177641f4d5f6c3784c83955eeec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9622d2e53f388a0e20f6eb80a12b5b6a

SHA1
6025b8b6bb46aeb8e39e8100fd0df77675404113

SHA256
498579c64077226d90bdf4d0df321355e53a1ce75b4105eb25af8d966b7145fb

SHA512
32a70c503d53a4f4f9df8d1c4a87a86f70dda91617e94624dce25242a7d9ea54009b2eac0458814933ce5558e479533ba5363dc2b6d9b2347664672380521c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d2e78fc38715e3e29ae97e96a2c8598

SHA1
2fa99aabf17bb19a31e7c873a19b69434b69bf8b

SHA256
16a0ff309395e17e10e603b6db99ae31cd5143e67df254812c3b4df5fc743a8b

SHA512
86688fe25cbb72783e516edc110b068e3eba90c84092e45c4d429b67cac8214904eb7db0855b59bada12b20f3b30a4e777ab26fce8e93ae5f8aa87cebdae98c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9971ad0f713ae4abe4c180beebfc042

SHA1
7ae8ac5e2768658978aaf97ad3fcb15113996ef1

SHA256
00811f440df1cd57230ff147d044de5b075bc049d997d3547c6906d2f763c5bc

SHA512
3cef264b409fd89d8cf0c0dedae78b9847a7e69e5de975acc0586ff29d25fd38e116b1b560a7c5dd6d4028516c2173dd1b071bb360982f1b456e5770780caa08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7258e3b65bbf9ba3386f378c73d6194

SHA1
7b357356ea573a2d6d29a7af97f89537668318e4

SHA256
53cf5c3bda110a6adac0935706b74ffbcbd5a741ab5bf1b8cbcb51af08d985b8

SHA512
58e42a1b338d24964cd60d36a4a82ef9e0a1d4f231a18864c23df9a8363c3abe95d2f27e66bd27f520de0b0e1f3dc38aff536bfc5b2be491fe8d8dd985611e02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64ff52c6ae5456f56f5630bb7295d76f

SHA1
10b989bcbee6ab9f77c447551ca16ee371087e1d

SHA256
19f4a46fedede5fe58c5f37c16836310319f45438eba7774e66d1f87cb7173a8

SHA512
e42e1a175a84122b37b12f60990f636e03956e46dfe590cd3bb1598713b0124f6d6d134dd53d1fe2f33176fbf0f556ce369e72e0fac07cc1874dc2a42e9fb722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce762398dc9d6138e5068075c384417

SHA1
983ff468839ba66622c4078f640ef3bf3897ac2b

SHA256
edbf1f88cfeb5c90130c696e88ecb225fe1fc82eeecf1d44d5ae9ca80ab3c435

SHA512
165f942e7e7d009291bb8731eb22aa7ee9af25b2955968c4053f009387977fefc239ce9f8f24bcf029b0c2bd6fe7327a6096c7cf4249c60fd24dfd8c2598d547

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96c8dd2ea6be148ef1f6c8723cf1ab85

SHA1
e17c01c621ce30794acd674687aa2fed1b5edca3

SHA256
900629cd97c7aecdd17343bcaf241e47234f7b335b544e45e875056f4d0b7611

SHA512
d54db1e7ccab27916c45389ec21772ac0773ac5f528d80572fe667a4f92242e437878feed053dc203b9e66f4f6bdb5e725a7b0b4790827e3f2c14d13572a8c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{18D1DF81-CEFA-11EF-8BB8-FA59FB4FA467}.dat

Filesize
3KB

MD5
40721eb45a9dd748b0213e3dd2bb5803

SHA1
043598061545979a3f117add1b49eb7ab3966251

SHA256
29f56a531a6adb19c1a048a30a1697adf0d2b046ff444bdc021f17105f878f58

SHA512
270395c7e01d663f1fcbf00fb86d415bbe382e1b45eef78655da2550941695919862b65a7c049e5a03761e1598e94c36b1e4f58c27d383678915d2276ec1389f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{18D1DF81-CEFA-11EF-8BB8-FA59FB4FA467}.dat

Filesize
5KB

MD5
c11caec04c9fbfe8da7fc9623d77c00a

SHA1
c5a0b952ad23688f2d6b929244f35725008e7537

SHA256
951f2367947459d32a8f953b5e6940a031226547715bfde4e0df405455422180

SHA512
41fb34eb2dc3e571e06e43a3cdd01223cab3e6048ac23dc946f919b207a369dbb96ff22750da0303815952eb90f3c5605fcd74de8996f5e96b2d36a8c22acdf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{18D6A241-CEFA-11EF-8BB8-FA59FB4FA467}.dat

Filesize
5KB

MD5
dfdf7f23a23748c0226f8f45e197237c

SHA1
166ce49f9fb9beb38f008ad3bfe224c02f1785e3

SHA256
794169e2b4d3e4d9a9ca7cf75bf5c016566360309dde0e5570a126c7856ba9cd

SHA512
fdb9702c6d8d95c005f3da74a48397ef94d4229458d0d09fbf322f72302e73fddd263c17cabb2fa0cd43d4aeb15cde09828eaefb33155229fec29a49c6e64730

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-10_bd792c0026b4a18d82def3924e6f6299_mafia_ramnitSrv.exe

Filesize
111KB

MD5
0807f983542add1cd3540a715835595e

SHA1
f7e1bca5b50ab319e5bfc070a3648d2facb940eb

SHA256
8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

SHA512
27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA98B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1180-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1180-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1180-42-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1180-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2336-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2336-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2528-52-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/2528-48-0x0000000000210000-0x00000000003EF000-memory.dmp

Filesize
1.9MB

Download
memory/2528-6-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/2528-0-0x0000000000210000-0x00000000003EF000-memory.dmp

Filesize
1.9MB

Download
memory/2536-13-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2536-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2536-16-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2536-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2724-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2724-49-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download