ramnit | 6cf21e8ffb4aa0223cc5ff71e1ba525dfea857eed8f1193170289da6adec05ef

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe
Size

500KB
MD5

03325e4d0d45668ab4e0602d4aed4113
SHA1

d90ac82a694395c06d5f10adaeaf72419f1b513e
SHA256

6cf21e8ffb4aa0223cc5ff71e1ba525dfea857eed8f1193170289da6adec05ef
SHA512

2b333c5cdd176edd3b789ea626845a8d43d995cc0f82a9090379195c4a99138d4babf43c66a5167b74d3c768afbf6ec7141c4594d60d03d4fa01834a9bbb1291
SSDEEP

12288:FyL5p1KP2wMLyro903gbKe6nVXsyF7SoYFR4jO2LpACRPuo:mp1oMLAgj6nV8qSoY3Op

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2556	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe
2292	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe
2556	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012262-2.dat	upx
behavioral1/memory/2556-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2556-13-0x00000000002D0000-0x00000000002FE000-memory.dmp	upx
behavioral1/memory/2292-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxE418.tmp	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0165591-AA5E-11EF-A5FC-C670A0C1054F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438612889"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2292	DesktopLayer.exe
2292	DesktopLayer.exe
2292	DesktopLayer.exe
2292	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe
2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe
2724	iexplore.exe
2724	iexplore.exe
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2556	2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe	31
PID 2564 wrote to memory of 2556	2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe	31
PID 2564 wrote to memory of 2556	2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe	31
PID 2564 wrote to memory of 2556	2564	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe	31
PID 2556 wrote to memory of 2292	2556	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe	32
PID 2556 wrote to memory of 2292	2556	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe	32
PID 2556 wrote to memory of 2292	2556	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe	32
PID 2556 wrote to memory of 2292	2556	2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe	32
PID 2292 wrote to memory of 2724	2292	DesktopLayer.exe	33
PID 2292 wrote to memory of 2724	2292	DesktopLayer.exe	33
PID 2292 wrote to memory of 2724	2292	DesktopLayer.exe	33
PID 2292 wrote to memory of 2724	2292	DesktopLayer.exe	33
PID 2724 wrote to memory of 3052	2724	iexplore.exe	34
PID 2724 wrote to memory of 3052	2724	iexplore.exe	34
PID 2724 wrote to memory of 3052	2724	iexplore.exe	34
PID 2724 wrote to memory of 3052	2724	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9870515edf2e7d4e6f95c48a006428a

SHA1
c702e6f0f6e6be3dc88cd70e3b3e8c71161f8abf

SHA256
e8f21a0890c1365aee61bd4c2e1334157f20eac6ba9c5fa1d49ed23f5e7f2ddb

SHA512
b21721c88ccdbc49357495ae7f668cdd94978e9f79d787e2df2b422c82721dffa318d648316fc7e8d2d4733b245d12ad61cd7c95f4b02b9aef91d0f93abc24ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
385ba8646f1db52e5c39a4ec8f6ee56d

SHA1
9caa950c98631e97ff3f46ee2cf634059347e731

SHA256
daca7665a28ea8378de57ae883085129338428d3f664dcf8797ba7d749811eb8

SHA512
cf400963c32d994c02c91e9b9fb021580df557962b16c05e346ba803e7aed0a187e5232bd2852f7b075b2f807080e900c4329cc48a0c3d494b8cfb9ebb351e64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f6c43d10d59a94acef54525b81208a9

SHA1
d8fa67f544a157935756a3ff5be269c16ef26f38

SHA256
39bbab30276b8e559a489e6420b551e663f3a296cfbbe38980fe8e1d1fe0b0c4

SHA512
cdae70591df08d4c54b8fba7f80f310f99e6b5b62d0d3872edd241609e474570cb4ad8f605336bda95ababbfe27621c247d3106bf33dced6850fc48e91e05a4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f42f60be88c094248d8dd0f6bb889f5c

SHA1
16d519ef274eb8477860a288361b35d27602ca89

SHA256
244d3f15f3a14d880a7f632b2137a44911bc45d10320984338e35149ac6341de

SHA512
28b6ea3fa7c4b1e59999432cadd2b20f84342fc37766ecc0fadbbb4ff9f5a74d8459b3a4d7850ca9019f96840ce718d37dfe22b9fb5292a0620bd708f7049759

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1770cdb8a5060b1405da951987359368

SHA1
2b3aa17815b2f5f77dccef9582232dcbc59ea0cc

SHA256
d7c5699766ea681ce252d55a2c91fa907d5cafb0844010e48c1bb250b6ddb458

SHA512
ec8fca7e8c643208b01d8a5b2a260a8205a1633caad628ce0e0a8d1643fca339f55e10639645675cf12f921f790326f8a1ef1f090a9d13fc431360178c7d4c6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d77e9a4883fbda6b5d5002920ed33366

SHA1
15786fde12f83cbefed42d5823cf21e546d783bb

SHA256
2b816044954093e4a72ff4aa1c69043aae13384bd326f13eaaf82c061375eeda

SHA512
bcdda92cffbaff7fa72ccf493132ee39616b9554da9b03994532b04633b87d53410f3f306baed5ea0b2fae39b3cae13af98365b9015a5e0176bcb6cc18357efc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d08078f46935807078ca75da69f97f20

SHA1
1306d5e10933d533e6f64ad62551c1346716535c

SHA256
db101fad62821b6f37aba154a06fdc382b0d49f1a47f00084f84db214f265ab5

SHA512
729a7033731c1aeec782bd970544999e25a735c076d7f2ab847603f6b3102077eb599c519369ffacf9fcfe12e90428ae876fec28272b0677d5eb2b8838e0cdb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c5e809995b52c779850ff6eb0f7f62f

SHA1
cf1d51505fd17cd7cd0a140a4b692f1c4ab17356

SHA256
341dd4f87648be71bda634127c380b2b9fdd6be87c4918e6dc971fd75879c392

SHA512
3b9ccf506ccf20c7eb8d99550f17e9178ade22435cea37ed2541eae1dae33b2f82c3dbf1bfdcbb3a9e8eadcc06a08f5c259551fd3ffff8658466f4efcd33834e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bacf4fef0019651ad78e275ccfbd910

SHA1
b4f5c8e338b38ecf2bf91aa0d2f72c27742863c0

SHA256
630898bf53392320fdbf7a7bd537e605ae010bd4517247840ccc24823723dafc

SHA512
8491fd1205d0e23b23e5b3626f0d531ca06aad6a36e57fa4431bb2cc87b8a85b34bbb5f94f68c3f5f2157f1cede33cdc367f137b1458eb7beb1b47ce7ea1d729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89306dafdcdd4473ea1938a1fe91226e

SHA1
4d3a88c17961dd1b6ba7b46a469d68c0a33c86ab

SHA256
10216640c36d3183637897cbbc513005fea3cfb294190fa4dcc9339967cca351

SHA512
975fd2f50f30e4c24f85beb7443ae1a3b79721a7a4a0b6f88689bbbd6ad0495d54366cbd3b1075ee94969f1b81924aba014a50b30923f339e54280aa55a6205c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb15c217e669fe62b376c92c2b8f270f

SHA1
fdc1d2dee6f1b243b2c57e87853f0d683ed06428

SHA256
28cea566f21b9defc67e069f99e27eb27bb00896c921b576010d0481c2895b4d

SHA512
ad36e1f84f69845a0b4e67bcce5b7815db61bd83747385a36731d251833eb78dcd094d7b311402ab501f63e71821d3f12531ffb8b79be1187723a5c8f4cb39a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb11b0e485f41181d8a2668288c84847

SHA1
d3281310bdcf81c28b731ba7ed620a353f7c0890

SHA256
fecc4e340503271ff558543b90b349bb52e82d910ff7888d9456293a7e19389f

SHA512
279d85bedc6cc2ec5060d1edb2a5b1d6ee7378e07f35c4f6535427d5f45409e57f244ecb8ef5ea8ef4999272a1ff3f64a2f3a8d2b7f9690b95344763f3e5a718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eb9c8f9478b237fb7fcac1388b9fc7d

SHA1
ddf69163b42a41f900458c4913c17c83ab51efda

SHA256
2ec3800480323d86b5f5476c995b91e18cb6266610b35d4892de29b6b870d7a1

SHA512
fe15221e00116e03175480ce993b3911e61a321b6d2eeefc5a438051263707d46332a75019dbf0497e6015371fe4e0c065e34772290236d57c4e622fb359cbef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a008294c3e7cfc1137dd36af5b5c44d

SHA1
95f7ffd3aa8740dc35a19c6151fdcca0b09bfce9

SHA256
c4efb783accb2663fc0a192a24ea17d9d14568f960b5e0a5af7a6022374d07b9

SHA512
877aae1e56b91d067c1cc498b2119d1d4d1d19acc22b7491866724f09711489df8f720d563abf6b9f1e9eb582d34b8c767d78456a4edaa7f771123681878d7f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a62c5d4a98f89d883b4c13cd1661e88

SHA1
eb1a09e2b1d67637dfc8495a4c78e3fb8c850776

SHA256
af7ccf2809505157fdf6f6f78740d1c6919b0ba642158873779b6c8002042eea

SHA512
3b47bf0d936b4cde2e1982b5aadcd72e13ef0bec13a84b0fbb7876210849ecc57af61d47ad99fcf7247999335aafb66b5af07e70e9a242a983c03accf89afee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e52db3bb786601190961072a10e7eab

SHA1
4210cb9dd85c613463ece47697514d44385bd9bd

SHA256
80ae0c755e9818e63a487b9f9191a9699ee0d5a2cf11a9ca978c2cce548b7521

SHA512
0fddb95e55be3e2cc0e4ce7a6ac5348caeed7e3fcbaba6d363ed3f8eaa0737b206f643f9436e14244a575ffabc5fe7626dd3f5d75ff357c17cda4cd50f86ee1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29c8ede507c9345808ca19b5b849077a

SHA1
54ef15a19c950930b1a5f0a98794c3cfb28b6def

SHA256
eb14d307f5e1b524b1151ec0361a4fcc7b4998b4559c7fef0270c5aa68483f40

SHA512
8dc00f955207ec0666f2aebd5610411020b9e0134ab50fa3028c185110b1b64de6adb3d74608f07da428a3657fadb85d2de9b7a3d8d1798a716748e619c2e1c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fff57848dc7e9334c301c8c5d9fab6f3

SHA1
0d25584af51e31fa458857bacdad21f05913cf64

SHA256
e3f7ce96c454d4f88d66dc99fa5efd20f4618c9226e0098803076ca789fa2d81

SHA512
cb60d3afb6608c3a2754af42da53a33aa4d5a816af7cb7b6f7f96ef7a6bee22d02082db85ae068d4472a6210ea07c552d3d9566f3a1422a1be53fa4789b2276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2024-11-24_03325e4d0d45668ab4e0602d4aed4113_icedid_ramnitSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2292-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2292-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2556-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2556-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2556-13-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2564-5-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2564-1-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2564-23-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2564-24-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download