ramnit | 764a68301b1e93fffa598107334d34e095268e99c465398b5eb59e35abf99c2a

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe
Size

3.9MB
MD5

e726ea1f4f6fe485ab5b24c42e2f93bf
SHA1

7d03dd1ffd022ad59cb6e9d85e3f2bf92a7b2d78
SHA256

764a68301b1e93fffa598107334d34e095268e99c465398b5eb59e35abf99c2a
SHA512

45f6583ad6d751d28feafb9c283bfda69842229bbdc37d3312c9746575ee9a39b93b1224cadbd4dff7f46dbc1dec7dea57d4e061b556a53e3efccef20598b895
SSDEEP

98304:tdx4jTpTnTjUFzSN4Py+KNRqIEpTNET00oj9ghi1RebMIg9Cbk/Vj:fx4jlTnTjUCqIEpTsojDIg9Cbk/Vj

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2044	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe
832	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe
2044	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012262-6.dat	upx
behavioral1/memory/2044-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/832-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/832-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/832-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBDD3.tmp	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88B74521-AB45-11EF-80AB-7A300BFEC721} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438711931"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
832	DesktopLayer.exe
832	DesktopLayer.exe
832	DesktopLayer.exe
832	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe
2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe
2976	iexplore.exe
2976	iexplore.exe
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2044	2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe	30
PID 2356 wrote to memory of 2044	2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe	30
PID 2356 wrote to memory of 2044	2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe	30
PID 2356 wrote to memory of 2044	2356	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe	30
PID 2044 wrote to memory of 832	2044	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe	31
PID 2044 wrote to memory of 832	2044	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe	31
PID 2044 wrote to memory of 832	2044	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe	31
PID 2044 wrote to memory of 832	2044	2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe	31
PID 832 wrote to memory of 2976	832	DesktopLayer.exe	32
PID 832 wrote to memory of 2976	832	DesktopLayer.exe	32
PID 832 wrote to memory of 2976	832	DesktopLayer.exe	32
PID 832 wrote to memory of 2976	832	DesktopLayer.exe	32
PID 2976 wrote to memory of 2424	2976	iexplore.exe	33
PID 2976 wrote to memory of 2424	2976	iexplore.exe	33
PID 2976 wrote to memory of 2424	2976	iexplore.exe	33
PID 2976 wrote to memory of 2424	2976	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e016726a6df2b048e8a96dd44105a60

SHA1
974fd1c647bbd1c4382cd3afe5f97dbe7bfb9e21

SHA256
8c52e880b738eaa84768dee7a94f75ae67f3fcd080dc60a04b581fc5af5c88aa

SHA512
9f771d90f83407ddfcbcb0ea66bb5e23457ef633534d4a9340077a61dbba04419758cbf05ff844f5012e2150ec392387ee4a9ce52f24422fffbcfba83c1cf01f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ff2ee623b508117cafe440553fd5028

SHA1
a6369114d712979d4c75550ae85405e287ad2c3d

SHA256
df26d656e9dc36be27cd2e33f8c04b0d2154b0c9d7532ab3d41c5c529e385b4b

SHA512
1d786f3cfa745d53a1639ca44f5fb9bafdc16e093ccccfebd5f44e82dbe72f28811c83fcacfd88cc6cf947506ceca7c0645951d2e92752a8ab690c892183af28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66aabdda929762d9ec1c0aa10de54f04

SHA1
31b97a49143744d3b2eec405cd95e39c5319a436

SHA256
9a4438ac5d9c9b2cedb7f7bd116e85d46f2e044669cbea1a575b12d07daa6979

SHA512
dffa89ee43fd11edd1d83a778dee4a124d088d7ee7d16cd651154791b8deecc6b592bb7e6f6f5cb4fd1f45b7412fc262242582d0b6acfcbf89e677eab12d9fac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ab4c7868779a05c3e7b30e1cf638a7d

SHA1
2f43db183d4704a1ebc06a76e43aa51edb0e6873

SHA256
c296c12de7a10873e9482c36b2c8360aee7b446c9178bdacd4eedfd20484c64a

SHA512
93f3ab04e9a02f0f8c8e7018d7ba213db7431dae904505969f61e0e3b1717934a088c8b47365053e4555e7d2c85e01fbf8e5d2c8ecc293fba36623bb425f799b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b26c229ebc88d1b1c1cfa1a3490eace

SHA1
f38faba20544e0aceb3fe978c5a920dfe884bc63

SHA256
1ccea00ec248758fb1549abb043be68c4dd2c9024ac49617c6cded84dbc094ef

SHA512
3c75a1105e2fc538d847bf4a0ebbe5a2a7bc859ed4f3d5cda0e6f3314ef726d271b225f0870de329e5af11318cf152259bdca4da2081c4ce844762e760981350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a4c41887ad6dcf65ca92f3ac21218c4

SHA1
1f992b213399546d08e23d5667196991c50af22a

SHA256
58edb73ac3bb7cbd19a809becd41a1c7aef4bacb613ff9a9fbb4d1e237c75a32

SHA512
ad78a7559c187291bd5878ce9c1cea00e69ef82e3679a8b4713af2e702cde59570407a80bf9ab6b63bf4d3d6042104287e5114118ef57a2387f5a69a462c5ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e01174df7016c8ca9a07f35943c1dc3

SHA1
6ea6d6276ff0c003a1ae35fc343f71ff60303e95

SHA256
178c4144beb4ea3887205c0c4cbeb9ac5e8a8b25ce093e443e74c2421607a693

SHA512
7df4c2729ce85f8ec511be16134efa5de8f07562d93e38ecb5fc5748a86232435bf75f5ba42516c8cb525412335bb376f7f16c1d0ac10a8b61660e3f472ee010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f10865e953f6b6c340e64bc1d7559bfb

SHA1
c66863111b1d878d837470bb844ee1d7696efe2d

SHA256
468d1ffca6a06ab0de9d22eeabfdd1ccc25e7daa720c184f7923a5eb603d4164

SHA512
da1f4f38aa6584e64bd7cc38fed6dc85627c36cf0d6a978260713c6c1807eb0234de74ee8199e6c034d7e7a64905aa1972ce98948b1d2d8d1f505dccd4cd66d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a81bffe37f4f495e6bcda7fc1f883d8

SHA1
9e8ab24d0f738ada8bbe7a38700648542ac027e3

SHA256
eae33a3d19af6b310a954b895cd9b7297f06a16613229d3887405111e2de991b

SHA512
0d7c8d994db667856452f4ab7d5540147866646e293355a02096e1dc685f7fb11d2226e3694496bb6a4301602e026d3c4ff8d00baf3c2859ab93c676bc61a946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
152d6da485a2fa84b6e87944b6503157

SHA1
bbfd326624eca9eb690ab893d1a8d9842bee05d7

SHA256
b3697e47d9039dc3353b338e907eebdedb25e4f9c211ae230ef65334ede58aae

SHA512
a501f99030068d0394a04ac688d72bfd773a07e2e653c4f512738e799c7e7ec555037475bf244a571df466dec60027508870a026efa26e9e5540f0a63df83a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c47b2791a432518da9270f8cf0bb8c2b

SHA1
e06681b2f27f0b47a1eb28d65b4d469332adcf9a

SHA256
a7ccbd33eea7def5fa2c0e6d5358e142d014a22be10ae4ad6656786330bfd510

SHA512
cce6daad499dcc3ece769a5b04f35b4e8fa01aaacfc00cd2f927c7a618545ab051556e804e03ab70d230afde0d85e2db29e5bd287d43aeea31fda027826eaed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5e8d38bd058ac43cae61ac91d73865b

SHA1
3b3f67f61c84969984ca4857047c4395c6299e42

SHA256
da2314a8b2c27115da238d47243d01e758608ecf224588701cccb59744c29178

SHA512
68bbb65836602564fc0f879fd9704d6f6e8c3043bfdcb7d0c5c92553a75697fa7bfba94db3975cedb7e2327bc7c3c25c4cfbdaaf6a4f425aece00b1ae5ceb925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc8dfbbc485ada8c83c8cfe424b67aa0

SHA1
000f305ede99368c46e6e32a8758e61455d16f98

SHA256
122db47c2f4102c60ed0d485598a446e71e5f291b1a9587b63794e1f534d4595

SHA512
5684f27ae1be9a858719a9310f5cdf3eae4e7e7c42c81932eeb85ee490cb3f38f36fee565b1ae34942afdf00cfa7c595cf77d04051f0ebf6adc4cec971eba1ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
314404ca3e5a1748420712c92c745e9d

SHA1
4d901e8fd7cafd6bb958abf6881ed2822f09067c

SHA256
f19db6b853e8e8ee24d74282555705de2f0a6479c3c242961bf3ce005f54f334

SHA512
080405d295ed361eb439a74c7a62fa2456af41d599680b79a29942215c8c985df6924504137c59b387122938e31919cf4a75834da9fa1394198687569cbc44af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b507770c370a93e14b76a8e5f348e6e

SHA1
8816ba1588e68e583f6a747c0e3fcac2637c8136

SHA256
27482bbf8aeb4104c054a6181e4b08454d47b8853094b181ea75a51cb9a33405

SHA512
2450642be3809fb1b991684be0366e3c08385eba00dc0ef6bd04fb896ba7058992337573e1b65fe7bb58bf93595ccf41bb3cbc416ec2d2ee50f3606ae37b6253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
380d02e386030dfc21eab94271f72c2e

SHA1
d3e0aa7d07525a3c2e49679ce98107f05bf17652

SHA256
96aea94ab6914ff3cc4abc781ceeac9e8396f0d56199f65850e9aae05993425b

SHA512
423b15bf6cf9fd28304b904c3a3ff5a13c3d1bb4e336a07f2695c70b0e581e6a656e4fde1035d70f3c20500ddb1b5eb7b9e75fd77385aeba29c83561a16fe5b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13cc31da76baa466227545bf601a18d9

SHA1
d1847dec3a49d39145bf92475ef122d24c548974

SHA256
cf4152b6bd6d0a7b21b78ca42a41969abe8156da147c8b9e506a0f846e7efeda

SHA512
9aec882410f7a2353e964a8723024c504670ef3c0534ab12f6d9931f7933bc2d8c3c5236fd175def1a5f879a2f70c5a1ef6580408df9c59d8bb6c33966eef75f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d73a57179cbfd1197ee37c855211ead

SHA1
4bcf7079b397f0a617e7b138c3217b869424d38a

SHA256
7f4ceb0fb802a0803317ff681e02437923b2d0bf53b2148c4c5ac7a257fd89b9

SHA512
16f9915906fbb5891f3cb5b2f4c1e763c17a96c5030e926eda3829e9a94c1f838a8c63376fd129c5e9976e1c14e08d7ef60d57ea11166fc9be705afe14dd6a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-25_e726ea1f4f6fe485ab5b24c42e2f93bf_avoslocker_luca-stealer_ramnitSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE708.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE768.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/832-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/832-19-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/832-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/832-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2044-13-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2044-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2044-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2356-4-0x00000000012E0000-0x00000000016C3000-memory.dmp

Filesize
3.9MB

Download
memory/2356-5-0x00000000001A0000-0x00000000001CE000-memory.dmp

Filesize
184KB

Download
memory/2356-22-0x00000000012E0000-0x00000000016C3000-memory.dmp

Filesize
3.9MB

Download
memory/2356-23-0x00000000001A0000-0x00000000001CE000-memory.dmp

Filesize
184KB

Download