ramnit | 901b9a1e05436409e63ea3bd862317b2ee7a7c83e1a7cc8ed4d65119407a7e40

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
Size

1.9MB
MD5

bb55ee374a0660133a193395a739b98d
SHA1

7a8fae8d074a1dd95e68815e05322cd739f727f6
SHA256

901b9a1e05436409e63ea3bd862317b2ee7a7c83e1a7cc8ed4d65119407a7e40
SHA512

110a65130f3c9f55bb778aead19f1dbee6e4c2cc8a616f18b9b3a6ac00feec74c906468dacbdd9fcc100161085e8cf20357e111844ef00d07a8975f0afe67ce2
SSDEEP

49152:NexqJHK1DGeJfqopT1zZbFRKnxRBGoxLibj9Xl7Z/9Uu0E5B5:GqJHK1zJbpTVZb8pLlibj9Xl7Z/9nb

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Executes dropped EXE 2 IoCs

Processes:

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exeDesktopLayer.exe

pid process

808 2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
2520 DesktopLayer.exe

pid	process
808	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
2520	DesktopLayer.exe

Loads dropped DLL 2 IoCs

Processes:

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe

pid	process
1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
808	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe	upx
behavioral1/memory/2520-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/808-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB4ED.tmp	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exeDesktopLayer.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A6D5021-9873-11EF-BC08-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436642589"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

2520 DesktopLayer.exe
2520 DesktopLayer.exe
2520 DesktopLayer.exe
2520 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2148 iexplore.exe

pid	process
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe
2520	DesktopLayer.exe

pid	process
2148	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exeiexplore.exeIEXPLORE.EXE

pid	process
1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
2148	iexplore.exe
2148	iexplore.exe
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1940 wrote to memory of 808	1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
PID 1940 wrote to memory of 808	1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
PID 1940 wrote to memory of 808	1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
PID 1940 wrote to memory of 808	1940	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
PID 808 wrote to memory of 2520	808	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe	DesktopLayer.exe
PID 808 wrote to memory of 2520	808	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe	DesktopLayer.exe
PID 808 wrote to memory of 2520	808	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe	DesktopLayer.exe
PID 808 wrote to memory of 2520	808	2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe	DesktopLayer.exe
PID 2520 wrote to memory of 2148	2520	DesktopLayer.exe	iexplore.exe
PID 2520 wrote to memory of 2148	2520	DesktopLayer.exe	iexplore.exe
PID 2520 wrote to memory of 2148	2520	DesktopLayer.exe	iexplore.exe
PID 2520 wrote to memory of 2148	2520	DesktopLayer.exe	iexplore.exe
PID 2148 wrote to memory of 2768	2148	iexplore.exe	IEXPLORE.EXE
PID 2148 wrote to memory of 2768	2148	iexplore.exe	IEXPLORE.EXE
PID 2148 wrote to memory of 2768	2148	iexplore.exe	IEXPLORE.EXE
PID 2148 wrote to memory of 2768	2148	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2
5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f91da2b1d31c63317961cb6cc492608

SHA1
56506ee2fdc25e6c96733e8b8d0b00f416f68666

SHA256
9da0d79da19563775bcc0ddc1f0e8827e62323d91c1bb45b7bd7b3f8b74141dd

SHA512
fc200a4b0186ce2deefc5576b9fb1a8119b612b32bfa816efbde05e9efe51104c7fd2aad09aeace7eef8bb59b7c55219085b3dd42aee8aaeba22e56872133e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccee1e2db53ee4504c2955f9158557d1

SHA1
c87d54ecfe8e31d15a160ebf4c299f360f97cd9f

SHA256
8f6ea068bf93ed720b05735c0d1d4f178fafc31e6c8f78baf07d3c273165929a

SHA512
0ffe980968730b56e5fc0b294b506ed0530589b747c5116a39418183d3318bf4466ee5bc7c663c8ac5d0623cf567f7fbbe19845060b5865e351fe6d264396659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b15445d51edd2c9b03d6a0777d434c3

SHA1
e3155266caa6e5bb76a15f32d4c8c4fffe87b0c2

SHA256
a880189e1619a26dbf710db4607fd232a2b0228ab1cb3da21507e09ca69a59c4

SHA512
0324f93b1fd0eba80f2a3b93ab6e1f3f3e478136c465c63a0bdb97a1e8fce4539079b6c5d6c76462700cc14eac22ba45d159d3a891dcd1a714213c989e0de58a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d3ee98e9239426d0dba1e6c85ea3550

SHA1
5475b3fb2237534ce24edce341aaeb50d5ead7df

SHA256
8151b56e82ed18825e7c093e8ba54e5ae5ec5b3d817598b4f5133d10437be652

SHA512
d0ab514af826ec6bcad8e429b58bd871dc612cf9338c306ce5a854652b7503228641af759e1adf8dd5bd43bf6f41a655f34276550406d5ff7143050661e97153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7127f29a528cab91f619b8ee6852f68b

SHA1
94d0023e1cb0b9e3c9440c98578763873c180274

SHA256
327feb2c800ea4cd3a8b7a6b1a44dc3997bbedd88757e23beb985b5adeac17ab

SHA512
fe418eb33425d6c4236fe35bbfa8ae8374ebd8016faf2abf18541960caf5c4fed15de58926553cea360de7299cde36df363644f02c3947fa888963b87555e8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03fa3f2ef73402075b4b1884e6ab9f8d

SHA1
6a07a913c4ab9c637ab479378830470d82d8daa4

SHA256
ce93fe0cbee9ee285c2c20cadca174c36ccdd2d6053710ba1e24eb47431ec3c0

SHA512
c5cb1d3d994b69ac28118520a2aab17a8d04790386b95276e2a364d36a2fd701d52d0006a643045eb1103d30025ca39150c2671e4ca1921ac85df0ceca4eb537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d55aad63170b8f9b68a965b3ece2dc4

SHA1
355da58a57de495db80e9e4b23916075810d8ce2

SHA256
5a7000a1d1f98430dc275fdc7646fd83f6247027a6a896291ade8bb187b8d059

SHA512
087afaf34c7aff4dc5bf569bdefbde74ef70ca3cd418a4a38901daa99526cecb6dbda899af812a376825674a54db970ea5a82f72fc7e02d69648891411a0f4bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef9b0de84b18e5c3346fff92fb01f5cf

SHA1
31c670718d31022670596fc5ff4f4b0e54710fec

SHA256
c7be14911c74984be4322d45cfe6bc70c1666520476fb403c6c555f0850d4a23

SHA512
0cce1537cfa55dfe692cf75cfa832dc22f99145e5e5343de8a5f95e4fff715f3ff2542f6108aba4d63d87b1a45ab3770f82fb16a3b2478d0a4490df8239eeaa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8154dc29338028927249baed73437eca

SHA1
64c4bdebd76f79d96bf969d44a293e637a44d6d1

SHA256
d9f8c085ace9c6311f281204ed04253dd979d0d128349e31fa608c04869e96fb

SHA512
34bc22fbf0aabb1701afec5fa5820908b3d19fe0ada5c0c4a3076f943d39fdd91c8654896a6648b77d7cff34a5f64d25f39e55e80d7edce4616db9801e00af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b18c237110559c1ab60265a44e3cb0a2

SHA1
dd59d85262cb798942122345db08771e2bc6764c

SHA256
861774166b0ea98fa82e52b9b56ffe7ac5fcba218c6f0c8fa6d300b56419bcb1

SHA512
d1c4e5e9c1254e47b6997939d9278db2a8dbfda5c94e95870307afb752ab34bb17fbb895e3e8c58098e0e769f7c708e2b12ebfa0a0b707f44e03294954735e9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d2fd78444929a748635599c234d927f

SHA1
95c44fd38affe3ef66426890967c37502984b64e

SHA256
7809ce801daefbe239a1f8b20cc3c2a0689a801803719a0d7a0ee4f931c94300

SHA512
b164b6e8b587a331ea9765b7c6a0dc3fc84cf0f0a953ec447a5984b12a1a9198df14d0e6b84a0f3121089ccc5bb23e43acada218149babbf69f36756dc7582eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ab60e8b0f4823d9bed194f1812368c1

SHA1
871e74ad3fed5a691f19f516b196a9f8125d348d

SHA256
3b37c712c92a7a455e01a61b9dcc3e6caccf9f0c0e01b8c6654bba04805b9bf9

SHA512
aa2886e7cc39260c5b60b53340f84c11968fa733479b1b3e816da3a1df7d7a9c3e278f82eea2a36d286912750d37b5200c84db664ff4c6f08a53a79c38248cc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e4ecce0b24dbf933b56e19cb9faa363

SHA1
b0ccad2d1daefc76f7880a62d368fd9a03ad8f59

SHA256
3bf1ad32f68cbda352cdd6b75d94e83b2bd6c198c42385904c82f6ac83e68aa7

SHA512
74a8a6220f7cb69eeb4962c283912371040f1e33fc4e23decdf60f6ece1fd164ed7154e2e76afe3d8494161b510030943ac32337544ea036d707dcf3a507792b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f02501134a40103cd71c44e54236deb

SHA1
b792876135cc70d159ea53e1229ee93d48ba4065

SHA256
3f5286070db7e031317e193516369d3e11848a74ec212e9ae5dd2b3f152a9a38

SHA512
563ae66146f53d2ea7c2191ff917658d961724c6f10d372b1fad947885974bd9581b16b3a44df38cdcc5867c56d9e96bc860b83ca28257e9128639ef535b6dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3115bb8be987f2ea572259de6a067dc5

SHA1
773618815498ce2667279a5bcea7761c74ef01ac

SHA256
b873161b23b123e9a2ffd4dbb19604aa5b53a253d954d4dc6d3c00e8593068fc

SHA512
88b096f8920ff10b6b24a45dbd62503ea714ca2e79d95c62db245c38ab5e723fb1874d58d3fb6c67f5b19224aba8975a2a17ad497db02ad68f5c58612e6ba456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f28ce49051be1bf0dd1686dfa5304756

SHA1
972d0b82409a948fb3a3d1c68f5dc2de41d51264

SHA256
3dde4364346ab24484c1005b7a08284057669611e50ea32b25a97242cec8a386

SHA512
26a6782a1e90be2508e12f35b8ab4bc4a5d1fa3976fd71c9bd1d9b58ab98e0f16c6d87eee0c0f2a0e0d7e0f1570f8d956a38628f6745886328613cfe79621d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17824a72cbe47c3fef2a3b3876ddf19e

SHA1
9aace8f451e7044c8833a8a626ecf31cfcbbbe1a

SHA256
1674da4bd1367210675608526f4a331a13d854bed74467d9ab2cd748d033d185

SHA512
7e4f417b918e22e3d82ef0872783cf4a8fb38636708ad9b41df17a01406bc5c2d73e5c3b9bdb419d57b36a66b27d0c7a402e0fe443afaab9f2b018d59eee9881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
421e4b3a2c7fb7b5605ec3503475b85d

SHA1
806b099ccda78b0605d1475ffd5f5ebead5c7b36

SHA256
204961ec34223cfcd75d95b16ed9f7e4afbe7d23091b46fb9d37399ac7ea6c11

SHA512
558454c494e092e9a2fc134c6c9adedf28e0a0e7b0d014a8e8b867b43175b70faa10332e7bfe83759f52658735a19e9cb556fa3ee745e15c6bcee7c86e9f992d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD589.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD629.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2024-11-01_bb55ee374a0660133a193395a739b98d_bkransomware_ramnitSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/808-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/808-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1940-21-0x0000000000250000-0x000000000044C000-memory.dmp

Filesize
2.0MB

Download
memory/1940-1-0x0000000000250000-0x000000000044C000-memory.dmp

Filesize
2.0MB

Download
memory/1940-4-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/1940-22-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/2520-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2520-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download