ramnit | 1577d51aa666e9283eb6eacee5950b586c04abc57072863b9e3f59507569643c

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
Size

1.9MB
MD5

8dee32eb82cace9af4e7a0b39633686f
SHA1

8ca80c494d808bf7f8688386d83c6639ce1c64ae
SHA256

1577d51aa666e9283eb6eacee5950b586c04abc57072863b9e3f59507569643c
SHA512

fffdcf0a89c8d752c19ad005b5dc89f4372706c8a9a1cd1fd34e5af555aabafd92cab074241f1f88b92b3c9cd24876b3b7cf1770cf1a46dfaca29bfa4d38e9fc
SSDEEP

49152:NexqJHK1DGeJfqopT1zZbFRKnxRBGoxLibj9Xl7Z/9Uu0E5+T:GqJHK1zJbpTVZb8pLlibj9Xl7Z/9noT

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2504	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
2812	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
2504	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000120f9-2.dat	upx
behavioral1/memory/1904-4-0x0000000000170000-0x000000000019E000-memory.dmp	upx
behavioral1/memory/2812-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2504-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2504-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEB1A.tmp	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD5BA2B1-A346-11EF-80FE-5E235017FF15} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437832944"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2812	DesktopLayer.exe
2812	DesktopLayer.exe
2812	DesktopLayer.exe
2812	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
2772	iexplore.exe
2772	iexplore.exe
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2504	1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe	31
PID 1904 wrote to memory of 2504	1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe	31
PID 1904 wrote to memory of 2504	1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe	31
PID 1904 wrote to memory of 2504	1904	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe	31
PID 2504 wrote to memory of 2812	2504	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe	32
PID 2504 wrote to memory of 2812	2504	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe	32
PID 2504 wrote to memory of 2812	2504	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe	32
PID 2504 wrote to memory of 2812	2504	2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe	32
PID 2812 wrote to memory of 2772	2812	DesktopLayer.exe	33
PID 2812 wrote to memory of 2772	2812	DesktopLayer.exe	33
PID 2812 wrote to memory of 2772	2812	DesktopLayer.exe	33
PID 2812 wrote to memory of 2772	2812	DesktopLayer.exe	33
PID 2772 wrote to memory of 2872	2772	iexplore.exe	34
PID 2772 wrote to memory of 2872	2772	iexplore.exe	34
PID 2772 wrote to memory of 2872	2772	iexplore.exe	34
PID 2772 wrote to memory of 2872	2772	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eaf6756ca58779c2e839494ec2bdbff

SHA1
6662036d9a472227b3f140182efb164d952dd46c

SHA256
dfd780a171896df6195354602053e20aaafb2bf4afe82995eddef4b40cbe239c

SHA512
b6c3dfc5b327f6f429b30286784206cc79faaeb0e6bd03cdf7b021a3521ff7cc0d6aed6836de335b16730e4945e62878f9e78e26fb67374e1f5096df8879246a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e2e76b5c392356c75115d0f7c222d3

SHA1
a78fecb3e951b1f96322a41e833cfae8476df016

SHA256
d4fe1dcc77547996dfd7ef0f269e179df5519f1c2226f2b068bde316153621a6

SHA512
0cd52e9d7ec27cf203992abf9f68df72bcafdc62ba6f948fc51f7440612640f13fc1af439a77d5e130dfa72877e8b49fee5172121e6c1757bfc7e50c44bb47e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17cf95c1d024bae2b8e08b1bcb3a325d

SHA1
064b467b5eaa861146fc11e7ab1425e621644fb0

SHA256
7c2767b2622bbb39462714de4354ec7c8bcfd842dd6a57975c5f9dc8f04425e3

SHA512
a0dd5ebcf7f3aaeca6ea8a73b8478cf7931c77bc36bc943ec99cdb995bfb55009ee665c41ebbd59de7de5d35eacf5f0a36c1f1a566499be14c7cbf8fc0283316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4672e8f0cac1233e853170797639cfc

SHA1
a377a3c917b23e6ef3a39e3731b9df54325e7af8

SHA256
0442dc992f427bf36b8370a4788cbceca883bb4ef888b76c8e76b900756815a1

SHA512
fbf8774adf90375703b6a55ff6979ad946de5c875de46ce480a60eff0683ed6c2a6171990f8dd6aaa891a6a29c9fb8775bc99663611ee967fd651e87b947e7d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a885ca12cefd591cf3277e199fb4a32a

SHA1
5070bf2969de28e66ae9f869fbd369abcf5e1085

SHA256
88035966351d76cf25b4b264e1e41b27b4cb580d32b8edb75b3d9bf25891f25b

SHA512
c475459997ad2d6e1b6313a7001fa70fd0e5fcfe8ceec63834aa6254a175d0e737bcb116086bcdb459ebb0740b51557836ea972f5ce714e72591dc81bba04065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3cde2f28b2859e1a45719f77d554877

SHA1
7ac6f35b83dbd69c90ec5c04be857126adbf6476

SHA256
5aa41cf20f284b9bec56dc452dbfb4c0685bf8f64629bd4cbaefa9ba2014751f

SHA512
ec8cadc3bdde145e9875d79b5fe5936f4a19537d97f752fa9a1cb3171d20abce2621a74e48a7624600efde6edb285be710c3476ab14741ed12d0eff1a5fb4f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a703b9a09c0b400be5982833a82ae1

SHA1
ec0c8c20c9a579678f3a84773f4d594cc2164b90

SHA256
4494854799107bf038f52b239454f77adabb53ddda4a1a8cdc6e05115eac5623

SHA512
56e4906f54c76af9901fa32302476d4fea76d27d25a45196b1ebd854021519bf973b5578100098b66ec9bf11d7977ad0230adfbd038d89afa7b0e76e876e14ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef3d0f70908b023e78f5677f202d7560

SHA1
6c3c60017b031a81a22fb8b069b90ae3e1fa2f30

SHA256
15b83f04139e7f7fd6911249ae75f64880c15a2d0f46074ca7eea5515a78f57f

SHA512
4934e5ceca2bf5289900733fc99b4e9ec55f61d4b3da1587c4f880f5faa858fd8a6cecab2b3e8b653ab9fd2277cb07a2712dd8d2b415c7c6c1b75c08df2caf35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beff4e35333cc4cccb2e3a024871de13

SHA1
dcd895a9d0b196c7d1f36a602b5c69cf161db442

SHA256
67f6f0b53253f275abd0aeb6b28fa0ceca7d6e8ea28ed9aba2750f23dc1fba09

SHA512
9e956429750ac6b087f966232f5e868cd6a43127eab1db94e92a8bc8de2488f1ab1b6dd94a211299efd6fc1e36c3e22c69572e13a1d7ff8b49b4a4811724a618

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
283aca828bce5cbfc00223d8a5ea45f4

SHA1
5cdb55497761f55760629172603b46908b19bfb2

SHA256
607f14f7ffc5c1b69ec0e22403f8f1c2211adf10b05b03fe486b91342f591e2b

SHA512
df6b63826cd9959e88bdd11bc1ec8a3140f67c7c77050cff4fb138b92d2da9f25dbe53dd1bf9f6d953c8d4f60f1f2fb67f0fab7c79deaee0ad24b97926d73d09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90fac036bf8bb37b2b9241ea26149ba1

SHA1
a480dad89a21ebd695a3fd9223c25189c13c01e5

SHA256
e2b1dbc27595cb4f51bce1e1ec6f49e4a87d5545303b4cf596947003a9b04a00

SHA512
f299b407433f08d34467938affde3d97fd3a249641e678b303e14e86e9d75a571b33c4dfa0f25bcd7524aa7f99b3ba616262383adaa4d4267934a9f9ff5825f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09ff8e1a8cd9c712ffbc8e9f638e59a2

SHA1
7d047e29f8732d198aff69fd216a64ad8d64e655

SHA256
91396a6b7daa69beb444a72936b562a32ddbe22e2e6be21c85da0b0a5a68f76b

SHA512
faed5dc223372ce99bb80215808f3d908777b9b9002e916bd1deb7e8e5a59d9dcbf6722acd2a38e950d9ab0a96d0d3b072554e9e9eacd90f5ba29e702b245c69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ca54676b89be27c75d0216ccf4eccc

SHA1
a2faf33225c6ada271c87b46dfeb8db71d03e086

SHA256
c63ccd0004ade94de2bf474bb35cb9853d22101ac15cce1d8198b99e77874b5c

SHA512
46432a0c5f10cf36cb9aac3ee186809eccb93f848797ab36d87832b5fee03656f58ecd1d3f7dfaf31f7dfdf5e61ca1ffa8c16de92458c94620ac37c3a304ff02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
440e9c58ca9ed374bd5d6bfbfaadbff6

SHA1
37ee1fdd726f7ae6e000b16737183681676cb458

SHA256
16110db22c8a0c6d652d614962ca7ef4971e795778d2ef92032ec35be4595195

SHA512
a486c6038f35d6608fc3bf33f04b327a87adad533322d80222434000f400d71525100202b6b72b677bb937c07042148d68140c218066bafeeaac5399f7c5a84b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
688949ddaebf4ab82fffdb1b1f1d8fda

SHA1
a6cb08a774e8295537c836aa6c62ccea4e47c063

SHA256
24c6041f88ab4b2db8c9abe8a4232a45a25f174142dcef14616232b2077a7d83

SHA512
15e33859e22bd416b38573ffc3e876c4458be4b66dbb6ab1d51dce5507a53e238b9923cc93380948b41d061365e7b64be4ffcef2aedf320e577224022ea41ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400c53d55a178ad1a782133ab19d8915

SHA1
c9e402d80791fbe917ab7a8c05809f747ee00f74

SHA256
e43bc96228722cef1515a813bb079c6cafa3a7265a498dcc1828385f06b89a47

SHA512
c8a0e975ad689158191e7231a374a5611eb3e168402f66c99eae7bbba96f590c229959a2546a1767512de89fbf060ac6af3b4c1e7117f008b657358115024960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4816e9555fee687c8bbf0a52ee8846d7

SHA1
26e99a41aed591ac3baa1532e391c92d66fdedb9

SHA256
c8f5a2341e6bf899cd78c582567ff7be116f80c0d18a2f35e051fa835916121c

SHA512
1097dba94f92f208fcc7d1170222ba5f6cf1f76402b8ec17d0ada31d653bab4e40383bd32bfd83aa3e4b3d195ded69ecf1173cf14388daa85409ec87afce3bcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b051276d9067fc67eed9078650e406c0

SHA1
acb9f6813ba1cf2002e972d465eb127d5f4988a2

SHA256
c3dae326f571c7656aa6f75b3bbeb113c491fd3cb97faca53217ae18306e7c23

SHA512
63363f7bbd4851a710fc70e86642ae96255c5a8bc5bfc20268eb537afc35979d2f5d66dcfa43294226466c3cf48627a10604aa5e4d9b4a52e1025fbb8d865ca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd418e857e5744abe852c11e4641a897

SHA1
c956f782d120c5509fc70ec07e80c66cf5e6cae0

SHA256
23492beb040502d4ba9d27ecd4cfbb673b51fde1e47eb4b197e32074a2795b04

SHA512
831feff1995f0b08cf9ea40e195cca2bc52a42e70a5e9f9a36875d84e2d95e806f502d02d02b94a7c63309bb085c2618fd13560d715ed5bdf9f4d90eff8c28d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
349bfaff41968cc3f0f543f78476764f

SHA1
95e7ed0350e8df23c95475db4d54e5bc95203d95

SHA256
d4741ae105a11055c93a8050064818ca4d786631d6e0a9aa50b431b432763d9c

SHA512
29f680b1bf08a69e10dadfcc0d93c84075b65a038b385bda4b0d4d1f2cb25a993a8038ecba5853c02a763618b3c60304acd6a414186264a8e5de00a1fa8346c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1CB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1904-422-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/1904-188-0x0000000000E60000-0x000000000105C000-memory.dmp

Filesize
2.0MB

Download
memory/1904-1-0x0000000000E60000-0x000000000105C000-memory.dmp

Filesize
2.0MB

Download
memory/1904-4-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/2504-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2504-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2812-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2812-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download