ramnit | 9603615f571596615b96c08f68cb08d7ad5e602f5f2d56aef683c3b6ea8cc02f

Analysis

max time kernel
120s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
Size

1.9MB
MD5

f63713e434c774d79ea05c743dbbc986
SHA1

9aa80ff8294bc0ba6faae20b4812c78c429ea2c7
SHA256

9603615f571596615b96c08f68cb08d7ad5e602f5f2d56aef683c3b6ea8cc02f
SHA512

e1335bd59cb896776b2e6f5f31d16127d112a98d98a2a843c0b8441e41347ff0ebf125d6856de0c7a550023e4dbd0218be33663c0f602df2069f1033e0396aac
SSDEEP

49152:gPSdG9Ws3y5F1p0xrxOlU9E+mwqnaOW1PEWxKih0EtUKOMifzKJofjvy7mpmm9mu:uSuWs3y5zp0xrMU9EmqnaOW1PEWxKOfI

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
3684	DesktopLayer.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
936	DesktopLayerSrv.exe
4808	DesktopLayerSrvSrv.exe
4732	DesktopLayer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023bea-3.dat	upx
behavioral2/memory/868-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/files/0x000c000000023bf0-48.dat	upx
behavioral2/files/0x000a000000023bf4-38.dat	upx
behavioral2/memory/4380-36-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4380-35-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3684-34-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3684-33-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4992-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/868-9-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4380-11-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/936-43-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4732-60-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4732-55-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4808-51-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4992-44-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px56EA.tmp	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5709.tmp	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5719.tmp	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5757.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5776.tmp	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = ab22c4d68f81db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f600000000020000000000106600000001000020000000d856c04eef3e144b61944be657e30465f910e2dddccc8eacb0165a29aecbdbda000000000e800000000200002000000027b79ec1a78f7a8010073e6f60926a7f280904268c0ebf3f75729c6689e5485f1000000060949c7daf6a7e04cfa94a9eb78b349040000000369ac9f7e1f053c06b2b74c8b2f306781f509c0bf9848d7eee8bc2dd13baa874854df5e8b8fb89e818a83954eca760ab6f83d407920ab8765196c74cdf0c1fcb	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2089580614"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446617820"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7C853EE-EDB0-11EF-8CD4-FAFE8A32395A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31162813"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31162813"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7BA05B6-EDB0-11EF-8CD4-FAFE8A32395A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7BECA8C-EDB0-11EF-8CD4-FAFE8A32395A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2084893146"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31162813"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31162813"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A7BC6838-EDB0-11EF-8CD4-FAFE8A32395A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2089580614"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = ab22c4d68f81db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2089580614"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
3684	DesktopLayer.exe
3684	DesktopLayer.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
3684	DesktopLayer.exe
3684	DesktopLayer.exe
3684	DesktopLayer.exe
3684	DesktopLayer.exe
3684	DesktopLayer.exe
3684	DesktopLayer.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
936	DesktopLayerSrv.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe
4732	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4996	iexplore.exe
3596	iexplore.exe
1708	iexplore.exe
4920	iexplore.exe
2432	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
4920	iexplore.exe
3596	iexplore.exe
4920	iexplore.exe
3596	iexplore.exe
1708	iexplore.exe
1708	iexplore.exe
2432	iexplore.exe
2432	iexplore.exe
4996	iexplore.exe
4996	iexplore.exe
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
4608	IEXPLORE.EXE
4608	IEXPLORE.EXE
4908	IEXPLORE.EXE
4908	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
4908	IEXPLORE.EXE
4908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 868	1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	84
PID 1356 wrote to memory of 868	1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	84
PID 1356 wrote to memory of 868	1356	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe	84
PID 868 wrote to memory of 4380	868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	85
PID 868 wrote to memory of 4380	868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	85
PID 868 wrote to memory of 4380	868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	85
PID 868 wrote to memory of 3684	868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	86
PID 868 wrote to memory of 3684	868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	86
PID 868 wrote to memory of 3684	868	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe	86
PID 4380 wrote to memory of 4992	4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	87
PID 4380 wrote to memory of 4992	4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	87
PID 4380 wrote to memory of 4992	4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	87
PID 3684 wrote to memory of 936	3684	DesktopLayer.exe	88
PID 3684 wrote to memory of 936	3684	DesktopLayer.exe	88
PID 3684 wrote to memory of 936	3684	DesktopLayer.exe	88
PID 3684 wrote to memory of 2432	3684	DesktopLayer.exe	89
PID 3684 wrote to memory of 2432	3684	DesktopLayer.exe	89
PID 4380 wrote to memory of 4996	4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	90
PID 4380 wrote to memory of 4996	4380	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe	90
PID 4992 wrote to memory of 4920	4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe	92
PID 4992 wrote to memory of 4920	4992	2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe	92
PID 936 wrote to memory of 4808	936	DesktopLayerSrv.exe	91
PID 936 wrote to memory of 4808	936	DesktopLayerSrv.exe	91
PID 936 wrote to memory of 4808	936	DesktopLayerSrv.exe	91
PID 936 wrote to memory of 1708	936	DesktopLayerSrv.exe	93
PID 936 wrote to memory of 1708	936	DesktopLayerSrv.exe	93
PID 4808 wrote to memory of 4732	4808	DesktopLayerSrvSrv.exe	94
PID 4808 wrote to memory of 4732	4808	DesktopLayerSrvSrv.exe	94
PID 4808 wrote to memory of 4732	4808	DesktopLayerSrvSrv.exe	94
PID 4732 wrote to memory of 3596	4732	DesktopLayer.exe	95
PID 4732 wrote to memory of 3596	4732	DesktopLayer.exe	95
PID 3596 wrote to memory of 1044	3596	iexplore.exe	97
PID 3596 wrote to memory of 1044	3596	iexplore.exe	97
PID 3596 wrote to memory of 1044	3596	iexplore.exe	97
PID 4920 wrote to memory of 4908	4920	iexplore.exe	98
PID 4920 wrote to memory of 4908	4920	iexplore.exe	98
PID 4920 wrote to memory of 4908	4920	iexplore.exe	98
PID 1708 wrote to memory of 4608	1708	iexplore.exe	99
PID 1708 wrote to memory of 4608	1708	iexplore.exe	99
PID 1708 wrote to memory of 4608	1708	iexplore.exe	99
PID 2432 wrote to memory of 2708	2432	iexplore.exe	100
PID 2432 wrote to memory of 2708	2432	iexplore.exe	100
PID 2432 wrote to memory of 2708	2432	iexplore.exe	100
PID 4996 wrote to memory of 4588	4996	iexplore.exe	101
PID 4996 wrote to memory of 4588	4996	iexplore.exe	101
PID 4996 wrote to memory of 4588	4996	iexplore.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnit.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrvSrvSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4920 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4908
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4996 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4588
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3596 CREDAT:17410 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1044
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4608
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
111KB

MD5
0807f983542add1cd3540a715835595e

SHA1
f7e1bca5b50ab319e5bfc070a3648d2facb940eb

SHA256
8b492fd5118993f8adb4ddbba5371a827fa96ff69699fe82286ad3a92758bf5f

SHA512
27161f765072f32977bfae3737a804492251514bd256336ed9eee985a760f11c8c778bfb45760bdbf94cb69ed49fa6831f2700548a290412a577fbc70a5b7d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
471B

MD5
ea3f03c5b368ac9d09a5bb60fc7982c6

SHA1
6390751860b3be03d8dab99586daa226d3e0d8de

SHA256
4f2e2602ea6f7c43a4af3f99a407f710df7de999d4f35d0629b7a80ef18ae43c

SHA512
dc3a0402b58d18fd1ac1f0acf31a5af64e900a2ee12e77b09cec272357e4b9f902fb9fbb453f5064517f2e91d9dd7958f44d94c79a8bbd99de8afbf33c3035ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
a634a9232db3f55e90e03f71990bcfb6

SHA1
eca4130485e51b47d9149b38d92004b3106aecfc

SHA256
08830486f06d12da2402758d7cc42bb19fbf9364249d3829c43642ac788290a4

SHA512
1be540d588003cee54c9462c16c54e778268daba57d809b596603cf0d2b9f73a77ed0432e43bcee0b80e24b25d506d57f6d87f19a43b6038ca52a990bfb49367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
d4cc2c6d52a73b7c3d78fe0ca38ec666

SHA1
e6587fd1ac8b1d532579cac18edd590bb120af21

SHA256
7ad51ce3b382f2c80a1688e90020c9b41c5edc935c8d4dcc3890dbbe322f6fe6

SHA512
f9c32bc2b29fa0bc72a65aae755c88ac42b138d44fc31103a527c46b34a4543d1b37d243045d7a4d9cda5a17d46f5c1ec7a677265f23f7c123db86d60ef25189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
e9e830205103ff869aa59f3a89f93394

SHA1
643971da5510f8906bd1614c40019648f2382fb0

SHA256
aa2782ad484dbedcf1d6368a3ce8a8cdc13a44f69ee77048335bd414cafca54c

SHA512
ce0e79ded5ebc9dfa7ae5c1a59580871a4f98e16f18fb40248e4325c158af51d2810d8c4d03ef9e73d587550f9eb774a44ceede1d8e54e3dcd7038afe00a3f92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
bd0f791e45d3c09f581b569cf1b7e1ec

SHA1
ccb9cdaa2243727d1d10a6735f9a258dc2fbaacf

SHA256
8a399a2c7871028c6f8a3cd6c50ff99e764c0f8e175ee20c52b17820aea3bab1

SHA512
9920deb68d2a7ca8e14f0984019ab1952dfc747c4c47ec918e2c49c0629c075e05b514e19efe2467845a1d007af919d6533afbee77d459366d09a1e9c1b486f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
d9a2264ea02679bfdd05ba224df49b58

SHA1
93a53635e68c278c70aa2ab45110b47ac2697e0e

SHA256
0f2c251022d88c07098d89a158e550d89739108abab7927647a72a798342de04

SHA512
999d924dd0f2fdb3bb68b5f3ce2743256fb65c1c39bc1e7c58be74df0779fd7551fba766f3646278d694752f278f7bf5428aca38ed6cd71f8a31349c09805517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791

Filesize
400B

MD5
382cf62aeee904266f4ab77f18ed318d

SHA1
e9459757a8f821e185e322c33dd9fa99327508fe

SHA256
b291b5b515a392fbd0ef27eb07d12dd799cdb61a55462de05fa21312cb296721

SHA512
f6cd8e225d75cde9e26a0cf98b1cb269d59a8bb6e6b05edee54ab1adeef254ec09bd0e9c67aaa9cba4a5856cfd9a655c815628da247dcd5aa81cc83f1a40e30c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7BA05B6-EDB0-11EF-8CD4-FAFE8A32395A}.dat

Filesize
5KB

MD5
ae9d85ba5dcd772d9a490e6e206ae1e1

SHA1
d233ae976464f1c6d13437b6485bf0dc3f3812b4

SHA256
9c500019b0341a93005f745a93ee7c5b4bce086916b7dccd592fa42c779b1bf9

SHA512
6f891017afd8c326be61e85b99addd1a59bf07acf6715c9778ef0a77c69580dc66e641382e15dd4a17879595db4e8ffc5f8b8015494cb498388d489ff30fcce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7BA2CC6-EDB0-11EF-8CD4-FAFE8A32395A}.dat

Filesize
5KB

MD5
f7ccc088b1e6aa182da9fdf794c608b2

SHA1
f7103c6f218e680f97a90d203abca88b3da8862d

SHA256
9276c7de2028dc245babae1c5798f88da9b8a750a6f2ef5a9b18c77053d4cfb5

SHA512
fb60f4af1f80967914020956db3853e9bd577574b9dd6e70c0c6c434d195f4e7537ad4f26af10bcb4aa27a00201646cceb5f06faa2e9bfea120a356e7688b1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7BC6838-EDB0-11EF-8CD4-FAFE8A32395A}.dat

Filesize
4KB

MD5
1480cf711e07fb514524e239f43d4b8f

SHA1
9a3929e32e26b6ad7c9f7335c5dff04a292cdbea

SHA256
1feecd14243c9c8cac33241cde5dfa4007667eb75f59674ee287b4421cc9367c

SHA512
64efb2d965d3d330eddc810f592e863e8b761ab8ac015abc97e4a650e7d79eb5ddfdbfb99deffd822c5b31ace81a4d69e78cf983643dd906dcd8f046b15d3a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7BECA8C-EDB0-11EF-8CD4-FAFE8A32395A}.dat

Filesize
5KB

MD5
ae92f5873eee19fd1807f6b3e9fda36b

SHA1
fdb055c0a4b8b07885ebace8a3a30e15144d735f

SHA256
d58bf6963faf5e2c12007da7a11f457f6be73e452b7b7202484fc1f23c93f46f

SHA512
75bdf3326b1df6913f36b5640c6c0b79b942be79749d1d917d06d9494b54b34e7bb556ffde26e9ce641f05f70424eae692ae86ec490f0bef1c2519d56d38c46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A7C853EE-EDB0-11EF-8CD4-FAFE8A32395A}.dat

Filesize
5KB

MD5
c7937485f0e955b458d4efca8ff95a0e

SHA1
81da9965208b553ff9543e880f184f37e1b79ca8

SHA256
0a7feae962804a04e698bb839b726f76c32f110743a255f9191b61e422c302f4

SHA512
7f6de940687a3b287532e42a16bccb944d3c63c23f7d3fff81428f066d275a291c5cd673ad902392301e2f71db9ed5b2c1b96d9c0a0e9ec404cd2f3cfb4b8cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8GU4RKZM\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-02-18_f63713e434c774d79ea05c743dbbc986_mafia_ramnitSrv.exe

Filesize
168KB

MD5
b6475f6ca119d32ef8cabb757b3be1db

SHA1
0bb7f7a4ba87a089b0be1be9210fef550b0b2e2e

SHA256
644e4758783803f7a4f9e23d0aec52607f2aa04f2377e7ae80fbca8d48a03d31

SHA512
f272921a7bbba0f2edb8e7262a203c009b159aa87fa32bc773176151ca3a1d0b40c2a052af08e223ec1f21778cc2fd2cbba831fb5770a2fa30998c995db925f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kno701F.tmp

Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NationEcCodeUpdaterLog\NationEcCodeUpdater20250218.txt

Filesize
217B

MD5
2047998c3957eb9cd1d7aa887ed2320a

SHA1
7b1d77a7808df68cfc04a167957968fd6f45c43d

SHA256
39e62e562ec7c9d3087d45f686c0401f716b1e67fd2a0eb1b77a1dd5ab77d947

SHA512
f9fbbaff92d5e55391630bb022c9681688c28cecb56dadeefa7132b88f8070a89350e0c6e6311b96178033fc6b6fb357dc54ebf69f28c347f2e144d2728031ca

Download Submit
memory/868-8-0x00000000006B0000-0x00000000006BF000-memory.dmp

Filesize
60KB

Download
memory/868-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/868-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/936-42-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/936-43-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-0-0x0000000000940000-0x0000000000B2D000-memory.dmp

Filesize
1.9MB

Download
memory/1356-54-0x0000000000940000-0x0000000000B2D000-memory.dmp

Filesize
1.9MB

Download
memory/3684-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3684-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3684-31-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/4380-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4380-19-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4380-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4380-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4732-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4732-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4732-57-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4808-51-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4992-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4992-30-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4992-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download