ramnit | e68b5ca4aa7e35e08411dc1c05cf33b0e50c9287ebbffdc07750532fca9e33c5

Analysis

max time kernel
149s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
Size

7.7MB
MD5

d2f8802580c4aeec563e44c42a15f7f0
SHA1

c73ad943787072f1014a9c6ac6b57dea622508c9
SHA256

e68b5ca4aa7e35e08411dc1c05cf33b0e50c9287ebbffdc07750532fca9e33c5
SHA512

e77d017a7d60b4760bdd03c7ebb86e1f4a9ea1e6a218f73558ed5d4a3771da69004657a965504bc0909373c587189fd9297886884ea92b313cf374c6ca64acc4
SSDEEP

49152:r70vVrYK8m0TzBNMFcUVcAYXnGYXPNd2kala+yihdXAF/edvoRFRh1Z+WD14gkz8:rwdrytXlposN/I83HpR7h5u

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.pif	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
3004	lsass.exe
1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
3048	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
2108	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
3048	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018731-17.dat	upx
behavioral1/memory/2108-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3048-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE0FC.tmp	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443035331"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC8D7301-D297-11EF-80CF-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe
2108	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2788	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
3004	lsass.exe
3004	lsass.exe
1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
2788	iexplore.exe
2788	iexplore.exe
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3004	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	31
PID 2192 wrote to memory of 3004	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	31
PID 2192 wrote to memory of 3004	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	31
PID 2192 wrote to memory of 3004	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	31
PID 2192 wrote to memory of 1404	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	32
PID 2192 wrote to memory of 1404	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	32
PID 2192 wrote to memory of 1404	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	32
PID 2192 wrote to memory of 1404	2192	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	32
PID 1404 wrote to memory of 3048	1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	33
PID 1404 wrote to memory of 3048	1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	33
PID 1404 wrote to memory of 3048	1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	33
PID 1404 wrote to memory of 3048	1404	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	33
PID 3048 wrote to memory of 2108	3048	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	34
PID 3048 wrote to memory of 2108	3048	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	34
PID 3048 wrote to memory of 2108	3048	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	34
PID 3048 wrote to memory of 2108	3048	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	34
PID 2108 wrote to memory of 2788	2108	DesktopLayer.exe	35
PID 2108 wrote to memory of 2788	2108	DesktopLayer.exe	35
PID 2108 wrote to memory of 2788	2108	DesktopLayer.exe	35
PID 2108 wrote to memory of 2788	2108	DesktopLayer.exe	35
PID 2788 wrote to memory of 2384	2788	iexplore.exe	36
PID 2788 wrote to memory of 2384	2788	iexplore.exe	36
PID 2788 wrote to memory of 2384	2788	iexplore.exe	36
PID 2788 wrote to memory of 2384	2788	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
  "C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4846372883cebe392c81f807112cf3e1

SHA1
e7bef806bc89220a55a1023ca0d756107db4d597

SHA256
15d54f3077e015e67b2e2b461d968e0b6b827e54fed6268f1bc943a6f2ae197d

SHA512
7f7bd185d62e405c9f507d421ce856f623038c0f709b66bb89297b84fd2f35688c9ec3d91b8d3257b20d0d1009f65f10665bd7e764f8411e914f9ae377ab5eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95edf62daf8e156cef1319bc1a74bee4

SHA1
f67e822cb862304ffb7fe7410c2879fc4df3dd39

SHA256
605997891eaf23c7c214041c7e1c73d8193c62a81918e2f831055e1942cfc78e

SHA512
3ae235d95360ad1eea6968f2decf136a77b9c356b789f891852140b3af676c4d76144fdc8eddede241dd6a411f88592f484da6eacb959512322170585e79b3e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f9061f39ab0080fa438cc27050d4553

SHA1
33f7efb2d73efda62306b671956e19d4b2bf4e76

SHA256
e536eec85758b1e955d64dfdd8e48d4ccf5dc3aed0762d6c008ce9e777963db0

SHA512
6a7015b712a4ca4ef54cd9e8b07ff2a3e64fca0b869e40848fd5ecde53da2017ac9b107d9cec50d5e097fe5d29d0af55bedddac415d71dedf1e5f35c431702ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66fd80f123de73852563b2d959b8b310

SHA1
fe04f9c33de3f540108d9880146011237524371f

SHA256
d151602b6698d136cb89e29f8843625fd0d920c20848a2e2cf68208b18803b0f

SHA512
ede1ece27a42fe3a47ff55b3f026eb9c48aa840dc36ec0474d5a653c3b36ff707171ceab7dcb010625c48d232795ebd514e7303fb1e088de36c8739252e53655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae0526a4013e05c888a6a13234417b7a

SHA1
b85bfe51533e8028ee45e99c2bd883b7191b5fdf

SHA256
fe08e30a8870ef811f5ece6a3f990e2f315cf5a3a5ee14060ce9dba86d9805bf

SHA512
2042700bcc003ec285ecf3383b7b71e0d79e9b5ebd129bd721d318c230dcd197c148475281da2f0e028dec3fbf2b5d7aee0b5839aff97b9b6464e0a33984c877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7253511c5732573a9539207697dbe40d

SHA1
f02ecd9844aa22fb37a95627fdecea343e12b358

SHA256
611ebc75240fa2a6ff4f19d38122de75c45192e85032d23ed0ea83cdb6bd9c45

SHA512
83b6713d05486bc3a290844fc2c27f6a78676595c1a1cd4ff744cb16cbb90121cd8bbfc5d4efbc92048d625d1d111ca356362a3a15cc6200ae590aa4932df122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c90da63e286fffc05cdfd532638e7aa

SHA1
6f627c27c7fafae9589d783910c89a07a33ead73

SHA256
e16287b13a2d1b1f079d8b49421f4bdc9a1fef5d785a921a84058d31cae05e0b

SHA512
c54af541dabb8380b9f0f37e934afad91e7a874c84cd438119b955eb5ece034895b2d15800c86c0bda8acd9fbdd1a0eb37b56c0fbcfe83290bd43943ff8c9edd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ceda29fa737f35785e2af454fa830c3

SHA1
f0758685d85f76d61e3a693416a08339b7221da3

SHA256
a9edd8425cdf939f17561f4292077563f8a0ed96353d58e348cd910b918e42f1

SHA512
377ab8111df719c05446855e7cd10d443cf48f79f1b240ef573e4d1de0fcf37785443c9f8b2ed7983bc735463f21d9e8ff8c491079e13e09d116ead30b27b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fca8ae463334f7740825d08a22c71b38

SHA1
cc88114e8069d78853aa8d7a76e37a0a3f5f0060

SHA256
c9f348ca9c7d6cfe792737682c210187e1ab6e6c8afd533eb0734cc7a687a9b1

SHA512
3286954de580dbace7f40ae2db7fc4dd90bd4922c8ddfb1c49659616a86bc21428c6be32177a0cf992472124e204f9310117bf188aea3070884998f67a0db534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ead2387454339709e6c76b2fb42edaec

SHA1
38b3c9396e890ed0a4a0f8c199fdf01c54a9b663

SHA256
8267bd7dc7f07ca0fd0ad01096b387b18e9821642c4b8f9f42a2f56e63e44086

SHA512
9fc01182d6dd70a90b174b43fd081bb365478750372c05e7a1b0e8d6426cfc92a8d957defc1adfaa96154a5128aef81bd37ea7b9d1248cb38c7f5b12b94aadd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d982dc93daab25979a0182725d5abb34

SHA1
848ef450176fff27785ba57ecc74abe961159266

SHA256
9f7e7e053971341778f0e0c8cc2f6150d024257dfcea627eef34a26b65dd32f9

SHA512
4b09239b1c9767fdea6afaa7fce0ed33d8c8918d848b90afb18f13cf60191cb1e07d3ee7da347583c774a8cab4a6ae27e475731f1563e904eac1b5b817027999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
650dee350f6fdd260793ad70d5440176

SHA1
7fcf730ffbe7c58df19b4c2c3ff08495546641f6

SHA256
56eaa3e92a6d93a50540752c29d9d9d2ceea6b7f6932781f1c94b17d7695ae90

SHA512
0d54d8379103aed27d5f27a59e85fa279aad95f305267959fe0a27a0e6510a30a819659d51e81a9868fd2e7815f1c877b3752a21226963d08008b3c7f2b59831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
089d806b9480fb269a2695c83216d225

SHA1
1330962c873fa19b991591cc13bfb3acca1700a5

SHA256
569a4e2b094b3a62cdccf803d6cdbeb444ba38e4d362a2ac60bf488c5ea547f6

SHA512
16f46adecf95ea824748691f388ab486945c8e7f5dd121174ffa315404825ed5fa0997878f8a4cf884234f86988f0bc8753cd49c2cf9a8b749d076b042f5ead6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ee318c0cf10a9e7856ce7a633588cf3

SHA1
67935b9fa28a41c2774f88e8566abcecb55f58bb

SHA256
975018947940436564d6f5c6bd705f99587a1f5eea206f7f3db2ac16ef734e0b

SHA512
7088f450647613a5004ea4628c821df7a1947e72569d12d414e635c872643cb3e9ec7a3f9e7c02a551c38d3ec4d3d300e63815639208143c85d250da10a1bc9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8371f771a02958d1c76f8c5c82ca64

SHA1
713bde896e82c4e53d98362441ab1c344ce6f5b1

SHA256
cd971c99c318326fcd71766e9b27cf2d4076eb5f641221ac00f4291e2a2ff7af

SHA512
7e113935af37e7ae0027fe47573cca6727e19ba06889108f3ed31de8e680fc3dfbf91955f2c098fd1eb40985aba421667941358c857d81210af609652b829245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4742022dee345e1bb65083fd964aa69

SHA1
399da2005bd95ff963176db4624100ddf949aa9a

SHA256
c78e569115b5a86d4cee2ccae186719b995ffa833d47f5dd90416cb879d496b5

SHA512
d19d0798600b2dc18c9217860643c7b608f9a5a66adf17266b42e40548c60972a3c744d377f33176b8e998432b3d12e52b046b4f480ed85968815a114ede8526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a79fd1e78e69ce30f8be2d633be55c8

SHA1
74d6a390ae59881707372a218d606309a61731dd

SHA256
7c9df89ed9535b33a8de33bb2113429d25400316b99044aeb9e98cb3f5bc4f35

SHA512
7b96896414abb38d3b83922e2f41309cfba2b18fc61b4ded2b00a820b241921906ff51cc02545617288f89e9533fe20d80937ca6c22b557c81e42ea829eb8987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b45ebdb64db6262f908c2456fd498b9

SHA1
af181ab27b5cc5c360f2891fa6b9ca6e67e7dad9

SHA256
87ecb085e4a542d182f2ddc7224fd8ece1a0d7067ae9634fdd686db16f1a2d3a

SHA512
0a2d759ed21f8c27c9684e4c5f208b5d84f6eac4a6014a9db192ffc0cf8c1f4731f8de88424c3579790823288ef1fe43bdae60d0dce37e9448c65bba1afe4f2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f071548a97bd9a4d733b9a17c763902

SHA1
00d103de9e53d136615ce8432191ce68fd6f9974

SHA256
841624adc369614302c19fa910548f044f1e740551e3a89172f209e7d7a6e5dd

SHA512
88f390939a9b7101e228af8fed5de1b312463fde647355db604baefaa6165b1c3ce3166fe6f41e02b5fd84acb16e1d496647f7eb4d005c6a1407a8d686556861

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp

Filesize
7.6MB

MD5
c596fffe583a2e74e5659f83ca156428

SHA1
8bff8a12d03b29c830e114df5388d82692321a1f

SHA256
9c02716bf7118a3b53232c810d5cd659d0d4304a1b32b73d3558d95c8e1a8b8a

SHA512
9dd11abf9aac4b9728c9ad5bf194d4229dd533021326f47c6d8fc6623a2be32e0849ea5d46acbac2ad4226f4c5b989cfee17ddc6b06ae339f13bb36547e1a408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar13F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
c451134261557ae5fe1ee308d0ae1b98

SHA1
e55a9ddd2e3b3083a76d091b13748f55c2caeae3

SHA256
c5eb765654730a8a3dc53997549d97542b419cc5f3fccb9d4a487d1a04dd6481

SHA512
5e9606529d2fea3ac3932f7f08fddc13497f9b3dfe66d61dfa14a68cd37d12cb40dd2a7071c6d8db346cfceded2b2947ec1d3c0291b15d250b75aee7adf52be3

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1404-35-0x0000000000DB0000-0x0000000001556000-memory.dmp

Filesize
7.6MB

Download
memory/1404-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1404-51-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-32-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2108-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-25-0x0000000002B40000-0x00000000032E6000-memory.dmp

Filesize
7.6MB

Download
memory/2192-36-0x0000000002B40000-0x00000000032E6000-memory.dmp

Filesize
7.6MB

Download
memory/3004-466-0x0000000001C50000-0x0000000001C52000-memory.dmp

Filesize
8KB

Download
memory/3048-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download