ramnit | f49dd4cad24b109d38ef6548c48188ec4db6c16a3086fe200124433e6b3262d5

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe
Size

16.2MB
MD5

d4e3642f6aa005d56c42e3eff6cfaa2a
SHA1

3603be6d330152d747be6eeff5c626b3df669a26
SHA256

f49dd4cad24b109d38ef6548c48188ec4db6c16a3086fe200124433e6b3262d5
SHA512

677816dc3baa5685c60315ed1f000b61ffadfa5c8e973b79acf314c7d72b5f9fbf8ed1c6a40e02f0168b59528bdf2c88f2b265981d5e44860e5189b5c771da7b
SSDEEP

196608:qeXaEgT/xxqZbtQBu1rw1aUsvrsSmeaoK:T+0JQEBw1aUsvrsSTaoK

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe
2132	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012117-1.dat	upx
behavioral1/memory/2352-12-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2352-18-0x0000000000400000-0x000000000045D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3EA6311-F4DC-11EF-9107-E62D5E492327} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446803370"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3E5A051-F4DC-11EF-9107-E62D5E492327} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2996	iexplore.exe
2984	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2996	iexplore.exe
2996	iexplore.exe
2984	iexplore.exe
2984	iexplore.exe
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2352	2132	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe	30
PID 2132 wrote to memory of 2352	2132	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe	30
PID 2132 wrote to memory of 2352	2132	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe	30
PID 2132 wrote to memory of 2352	2132	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe	30
PID 2352 wrote to memory of 2996	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	31
PID 2352 wrote to memory of 2996	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	31
PID 2352 wrote to memory of 2996	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	31
PID 2352 wrote to memory of 2996	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	31
PID 2352 wrote to memory of 2984	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	32
PID 2352 wrote to memory of 2984	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	32
PID 2352 wrote to memory of 2984	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	32
PID 2352 wrote to memory of 2984	2352	2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe	32
PID 2996 wrote to memory of 1868	2996	iexplore.exe	33
PID 2996 wrote to memory of 1868	2996	iexplore.exe	33
PID 2996 wrote to memory of 1868	2996	iexplore.exe	33
PID 2996 wrote to memory of 1868	2996	iexplore.exe	33
PID 2984 wrote to memory of 2728	2984	iexplore.exe	34
PID 2984 wrote to memory of 2728	2984	iexplore.exe	34
PID 2984 wrote to memory of 2728	2984	iexplore.exe	34
PID 2984 wrote to memory of 2728	2984	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxz.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
  C:\Users\Admin\AppData\Local\Temp\2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1868
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcc3c8136ae2b7cca39fa1115c990db0

SHA1
f8e56d71189524cf5a43cd8535f8892dcb659008

SHA256
e74dd18d70180d6b8de634e53d6e3ff352e7312a21388713c1fd544f1a829375

SHA512
1cabdf0cd9c4ceadffbfc7c0219a375d769d4d312531eb777b1f27f471fc106ba88f1a6675bc03dadcc4f13d9db926ef698511ea44de325fbaf702a71b0cf451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6acdf6834c0ff4044416c27691b0ddf2

SHA1
5bf090ff549969446b58ddce493e7b6eb3b24ae9

SHA256
139f2c2ee27a5b8a707855703a16e0754c7c42773fbeaffa39d4dfd6583a3a17

SHA512
be0f53ee91fd13d74c8a5fe4b8898e3d39045fe63155bff4e5a3598893dc88ff198403f8df4263b5381299b34dab5dabde36239ab38e0518b9e519f337ccfa4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95f924e996735d5bf92f70ee82b08e71

SHA1
cbedd84b5c41c9fbc2dd9f3c132418d99c37e549

SHA256
fe1d0a41e30150356709e1531c8a5ccc25a75eedcea8e3b4ceb1903090b2f64d

SHA512
4c0527c910acd07ef842135511d61dca947c338eeabb53700773e3b5d10965a864e007d79d06fa37910063e21974a5368adce041e423eedc7715c00285a9a2dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
819e50b104dfa17d1c90a301164ba1a8

SHA1
1bc12271922e0ad68618bce5eb1bdde9e60b9a00

SHA256
c7689d2993044cb2c8585d114713f7b01e0b7f870b55c714f883301c64662bf2

SHA512
b729fb11c76813f1df9b5e053e90eddeb1f18e4ba3a6332ca870589040aa41742c2c4594c7400bc28bf321b43130ed1e3c950441672a090a2b74f49a96cc9aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdf9d1faf78d37fd3c92c4a1d315482a

SHA1
89f705e5a1d03d779126d35fad91b315b0f87e60

SHA256
42e1a2a956745b79a035f49de6b23debcbab677a6606ff1e93599677aa470d3c

SHA512
2470682d569f5b77f931a0a95b97f053f13aafeaa25d2f4b71ab33f42266681201494f5901a2e909d97de1fd1adf3011a9ffe7a04963a0f49d6e05fd4c7601cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dff1f176a545cb4a3330e8aa3be4b603

SHA1
6e522a24127b2425fef727d4612af6b0787c165e

SHA256
1bdfbffd862cecfba8220644552839bf9b194c3d80979df923b26f1b2140dd5d

SHA512
993bad339d6fbe2302ce3a1a3ad3fb8135a32653f04029b4c3f6e2339d4035bd9bc6efe64772723270bcda3a084bab9ee1faa2948d3cef88e9f3b5f95c61761a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5ad4e45cbfdd6bf885a693c18cd4ef0

SHA1
54823aa24d7e8b0aeea437f4ea9e6ac038c4235d

SHA256
0a84150b52355661d96bc27a5a7f7355da5447973bbc54722736403592ad2434

SHA512
ba25d33dc7c3a593c7d6f53baf5d0c9edf576f20d4f316a87aad6c4813604c1e49abbd72b500fcea307c9c228868790a431d504185e35cf1d5bb0e9d97f52310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dbcd7c23aa233ae465f8e1a6028da25

SHA1
b1bd1250f0749d6320f8e89fa61b5b8b7d4d1b49

SHA256
a341ca51dfdab3f022ec2f733b8341887b797b935badd2cfe747404b860b27eb

SHA512
4ba61a970efccb99252cd88cb121ea40a6072a0903d9516d0479f14771f8b1a88eed0a7b326070b256de629727b46d3cffd608b957e0f6ab019c5b74759b9bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b96b332f8e4bde88db4a1402cea44002

SHA1
b0a00b92334f3897f53bc567cb3fca92fe55e8cc

SHA256
e259225a0bbaec56c7ba5a5181fd01df6444aa518706bfbb556f06150ed20dda

SHA512
05ce0ab11b8344b2e17b6e47fb4f61e4f81334d1c20c84bdf3a75184f53c619e08d20b66ddf190bc43f81e358966cc8b3816e97b669623d5d68f4034014b35f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6780d91543afd77f076672475252171c

SHA1
e1e655f826f4d7b6b5a6a2db047f3b5068a97c91

SHA256
d70d360fa84532d542f5c105cb25c3bee5b3051d4f3b3aeed9e0a9079efc22ec

SHA512
81e1ddc801a05947549b5678d95d05b92410bb17d4a6c4069c3e03f8c0c6bda19e9fd3fb42642605b571794717c8628c22834b58d4ff8594f9107e121370252b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9f361883a12217915107d602f1a69a3

SHA1
9bba6ce6e77070c84d900d0180d4c5e6b4e95b80

SHA256
86e40a14b017feac0a2ca899642c71e208be85c88acd6a3e14fc86a4538dfc9e

SHA512
f756f022faa9935183138f39275c43ca3e58714f22c3fcce7011684871b47776745fa1ec4671c48a97d576663d97fe81575386f78882ee6018c156cc9ea28f52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0b43cb0550794455167bfe19ce2ba18

SHA1
7c4744e36d6fd69cecb67cd9e234f07dd351f1f9

SHA256
91f48aeaec7ff0ed3a3606bb3c1f52ed94daf99e2a0458d5acb7f89a50cfcf90

SHA512
e15a340cc38a960098a3ce7b118f80dca3dc1ded10c3b23804a3ca1bbd452ef809565cf0850c409542edfb5ec1428f6aacdc6d1a5fc781df9480c5244870a713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25978a371432f006a50071ddc3c1f125

SHA1
fdeb520cf834f56f4260d04fe1685e1e546a56bb

SHA256
a72d1ef79d744440b9252a0224c89f9412d7155636a585e15ac426c3f806bbfd

SHA512
fa866fb17eb1c559bae4837d49846e46495dc9c54cf8eb71bea832305052ab72b4d0e2913f0da3f26d867e4d41a4c4411c190eaa7fc424baa555c4b9abfef17e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c178c7fb39a1a38b0295fc75ab881cc

SHA1
fdf350349edf4df05fcda43631ba76f4596ca576

SHA256
c5417be880b9d99f0603c446414c664349e5660ca2c6e46ff16e6c9b581f7b43

SHA512
77271226db0fc4ad5c2d814f7562cfe60af0e6bef2abfafb9c58a8b4bc3876e37b69d9dc32916a7586e55913dfb820b908a0ae05a6d8ac16b0822029572eebdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab6beccfcf1708b9410c644afee8085d

SHA1
e075e92126e382b85c37ab098f6ceb9fa5fd3ca3

SHA256
719ba05f7ea987c2d56b2730a7b01dde3eb56a029836baf25a79d2c4c95ac59d

SHA512
08cd8c4f2f2455c93030955f43af86383b091850ed886e82d5eed0061fdd8b7a30cc6e1df991617300b39488f7fa452ded3209cc729a3f9d79ea0e44441aef77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1af956ff336c64b63fb891e8fe96cf58

SHA1
a5a44dc547d32d172b3ebd6bddda09b8337227f2

SHA256
c682a8780802ad2add077dc1f232ab1156874dc3916b0eeffa1edfdc80e9a28d

SHA512
3a673023b16f9e1b5e1bc15278ed915ab1353917aee2fb6be8f137ca00065a0f7c6bfd2f90c6d82015acec2e0ca9f7fbba854187fdae6000e43a149f4c58b877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd7240192c7d03c8b8f9f01dcc1f626a

SHA1
1c90858c47e382a14ba08f18a5a7d6d4c6b40838

SHA256
87d2a7d9c43ad287fc1833e66e9ec0c3091f512045fd369ec4ba029d0593b089

SHA512
c51671ccae6ab76089ee1e1cd7e5459f4b32a0d6d2154fded8e4a9d1348ad09485cf6938588d7cca485f09bd73af8243e89ccbe145eaceb4028e198dab31d9a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eeb991ba1bcb8dc10e6d953ee366eb95

SHA1
4b341b2a7dab08c623d1dd4f64303d39fa1845d5

SHA256
df46f392f15edff1b846a653d2e5f3e8c26c6888cddffcdb647d563ea301d927

SHA512
0df619439745e74ff84098747846d1f52ec94f792d801976154f0c656d23df2978de553268ff62ce56472906876dc3ee21706946b73388b0c1cf4983841cb0d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3048cf9c76fbf4d4d1039fdeb2e3781

SHA1
f05dd3daa10266f4d4e7a2d47517d63ecea7d2ac

SHA256
905dd9c282d53023683732e1fb0c260403c037984026b98c079376a2378e274c

SHA512
e1dd001327a08afe2fe2352e99cfd56e5f16da2ef6bc829a38ca2bb2d492f5c3c9c7520b6a62dd726683778bca7b00a46529127ed218fccc9e24622b8d812d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3E5A051-F4DC-11EF-9107-E62D5E492327}.dat

Filesize
5KB

MD5
492d0b3e8a8d8b3844501ea018642583

SHA1
f30f671419dc961fcd9473a3ee3c5306bba0c020

SHA256
da802ef718ee22225db5c2787e9483a7202e1531ac9408599412f5459d59c1b4

SHA512
ecfcf39ef9aee6634c49df8d0db78b128b5ee37eb7da56c4cf6bdd12cfe188a3a40526a8ea9bf8ac31d523b93b332bf96d164ee9599a28571eb8c446d61b46f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3EA6311-F4DC-11EF-9107-E62D5E492327}.dat

Filesize
3KB

MD5
d627832ca81aa241a171ff06880f8029

SHA1
6168838b9a960ed561c8feac57d01a598cf234d8

SHA256
e4dde2f1b5a21b5db20cfd1a1da3f1554d6905dacb56746bf1a2668c66c079cf

SHA512
e756ead7170ccb35760aa5af9796b14e4597312f007cbddb88ac33f9cb4b58e2d2cbb3a06b12e21b46c9dd1b6b31326edb41732064c41abb9da635732b595ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDFCE.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
\Users\Admin\AppData\Local\Temp\2025-02-27_d4e3642f6aa005d56c42e3eff6cfaa2a_frostygoop_poet-rat_ramnit_sliver_snatch_zxxzmgr.exe

Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/2132-10-0x0000000000B30000-0x0000000001B95000-memory.dmp

Filesize
16.4MB

Download
memory/2132-15-0x0000000000B30000-0x0000000001B95000-memory.dmp

Filesize
16.4MB

Download
memory/2132-14-0x0000000000270000-0x00000000002CD000-memory.dmp

Filesize
372KB

Download
memory/2132-11-0x0000000000270000-0x00000000002CD000-memory.dmp

Filesize
372KB

Download
memory/2352-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2352-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2352-12-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2352-9-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2352-8-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download