ramnit | d4321ae1e165f5adca29ae3458bb03c69dffe96a8712c8cd297d1ef58a5beaf1

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
Size

7.7MB
MD5

9e5e962c28d2b4bb05a5c27697415866
SHA1

3719d116923c7b9433cbea5f950cd61e069245b9
SHA256

d4321ae1e165f5adca29ae3458bb03c69dffe96a8712c8cd297d1ef58a5beaf1
SHA512

d7fe7e12e0e7ad38a288f30bb8b6b60caec8be4c8c42d8ba0328d05496b40859100e79414087bbab11c02a1847daa8f8f82c97608465fbd7e24bcb943a5d6acb
SSDEEP

49152:J70vVrYK8m0TzBNMFcUVcAYXnGYXPNd2kala+yihdXAF/edvoRFRh1Z+WD14gkz8:JwdrytXlposN/I83HpR7h5u

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.pif	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
2268	lsass.exe
2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp
2708	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe
2724	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp
2708	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000186e4-19.dat	upx
behavioral1/memory/2708-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2708-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2724-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px4B2.tmp	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AFF4B2B1-D298-11EF-AF60-7ED3796B1EC0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443035737"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2724	DesktopLayer.exe
2724	DesktopLayer.exe
2724	DesktopLayer.exe
2724	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2908	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
2268	lsass.exe
2268	lsass.exe
2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp
2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp
2908	iexplore.exe
2908	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2268	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	30
PID 2356 wrote to memory of 2268	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	30
PID 2356 wrote to memory of 2268	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	30
PID 2356 wrote to memory of 2268	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	30
PID 2356 wrote to memory of 2836	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	31
PID 2356 wrote to memory of 2836	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	31
PID 2356 wrote to memory of 2836	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	31
PID 2356 wrote to memory of 2836	2356	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe	31
PID 2836 wrote to memory of 2708	2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp	32
PID 2836 wrote to memory of 2708	2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp	32
PID 2836 wrote to memory of 2708	2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp	32
PID 2836 wrote to memory of 2708	2836	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp	32
PID 2708 wrote to memory of 2724	2708	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe	33
PID 2708 wrote to memory of 2724	2708	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe	33
PID 2708 wrote to memory of 2724	2708	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe	33
PID 2708 wrote to memory of 2724	2708	2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe	33
PID 2724 wrote to memory of 2908	2724	DesktopLayer.exe	34
PID 2724 wrote to memory of 2908	2724	DesktopLayer.exe	34
PID 2724 wrote to memory of 2908	2724	DesktopLayer.exe	34
PID 2724 wrote to memory of 2908	2724	DesktopLayer.exe	34
PID 2908 wrote to memory of 2596	2908	iexplore.exe	35
PID 2908 wrote to memory of 2596	2908	iexplore.exe	35
PID 2908 wrote to memory of 2596	2908	iexplore.exe	35
PID 2908 wrote to memory of 2596	2908	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp
  "C:\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f4782b342262b3b779dffbfeb28b85e

SHA1
f6fa6094c3ec3868af54c924d9b453bb1dbef035

SHA256
52313e80de31b693f785e29e4dd1323db60038ec3f1bbf627859e9aef04b488e

SHA512
c00211afbbca435401332324fa4f578a7ea4dbad930def7800e964a89ec425410531475a5d25a71fc3e4e8d8ea164eaa1d1e6d073f3019d3ba1feca410e2e893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d181a52a50112afe55a26220b9fa4df

SHA1
52b8f913262437f5a33add98a9fa75db58896da0

SHA256
cde2729dfb8b649e18a9dc9e0416429fc2de4257a9d10155c6f0f65091f1c7a2

SHA512
80f6a4f857744581e961f17b23da4e2e87cb74c5a96bfad864edafa1e0ab79a0b389b43f3d4caf72ec057671224a903357e9e7575d5229952a00bd2cb28f8bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcba3f1b70c553a8b08217824df213f9

SHA1
6445da1eb3250cf9f5701e92ea3408bed40f40a1

SHA256
000f73cf824d9f8331b7fc40d8d5bed5e3d066bca0936630e9091ea297882729

SHA512
d3d88b9a389a004fb8d62d3137adc30224c394dcc9b0c21b1dafb74b431c18fcf5eb9272967ad794047f7924468f12bcec3e8094accb0016cca30b4414c1b65e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
311d7c4a3db42ddcd958e4190ccf291b

SHA1
75920dd8a8bb74a15a5dccca8d5337c51b8cff0c

SHA256
1c02f376e6f6c3cfa1c881e27d871111cf881cc2d557479223b79f511e9ac3cb

SHA512
0b70a34967e7f29baa5e76a359f347a17c02a327cb105226c1c9c9f22e9e6d77db925e43aa7e46bd1eb748ddef51590c3f7589af1b3ba21ccc393d0ab3ab37c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2ece74a4761afef92c61ec187ebad13

SHA1
ef93f07ae52a648b884b1c2f9c63467ddc6daa61

SHA256
27fd0f0d23915fe629d83ed04777f517d410bc7a4bc586c2ec286f816c4e874a

SHA512
337b02e97771bd8ffc9660479761ceb602613bd596a817bf0608159bff2b4aed25992ac78f23171eda238610227558587400f2b42740183e0e0a97d719ef1764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7748727243583f2dcc424c77346b16d

SHA1
f9dfeb2f2c19fda77f72db7b74fa468fd898a629

SHA256
1c5fee0f91a3abc01c88a8550478151477f415e27fb4aa40ef36805322125821

SHA512
4559dc96090f1e6feacd7daf893c5d1e474b14291ba73a5bd113949562156ca263ba94d214d74942805c9b82b7dc06936dbea418dd6f3b5f7c099a974763efbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c85afa0472be59c536ab5f47af772c8c

SHA1
358f919ea742bebd2714919c9c17984f050ae891

SHA256
f2254d50b4a8b7f15fefe77571806b2763510802cc80a299d61102eee0a73c22

SHA512
fd2e8fbc99116cdd5baaaa83aa343b195573956a6017a72893935689c23280aa62a24dcc82873f960c429d8a95806c8decb9f2236abbfeccb1870ae4e5b7dfe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1661f0f29ff1ffd3e89ae62da598f4c2

SHA1
b2f17480e10e7fe62dcd81f1e78ce1deb18e87ce

SHA256
ebffa7042d4819a409c4e44738a5c353017475c3adf26489b7258005f0d3bd81

SHA512
0e364770f2fe3bea70dd153c4c4835008bcfa20e8a17509cd655238bfb96f9fe0426d3c6c2a0cd19249b9253a26b651996a345a69871c7221c49d9f199273b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce4e2b1b142a1299615319d1613f6edf

SHA1
c5ca6160026905f6c6dcd8ec0b8c97e234d5e2b4

SHA256
676a746baf12c1c85ce42b639f665a218a98610b5d101d85c78b186dd1480c84

SHA512
5e142d34de2807a2684d82523301a3c68e74e44b955ab5546b8871208bebc0b80eddf0187ec37fe8bcd00455eb163cb062a4f03e9efe6bc8b8753454ee206a61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2a7a1191e288261d5a7fdf351f0732

SHA1
6742a594764696ed84224aa492796fa13a62f202

SHA256
7f36a142015064a9e752857cc18a558607df6ab92cfd3e156024f54723384651

SHA512
e7bd8beba68c8962a9b2dd8c1f30e4cfab8e32a5718fc86533ba95713b1e43fcb04a9edbf5d340b9aa9ffb2b79c6921546a9494c34c1d5e41587e3300c99d068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5cc6bc8a84160da8637b41cf0c969d8

SHA1
afc6b8d433d697ab6e302d4accfd7ce0a28ffacb

SHA256
2a5f2a0f79ac8d976ead14366a761b3a694f53988582a124d9981a1b4ed8a50a

SHA512
692d52da2bfd59fc59f67a0d1514c18e8a63cd3f73859fde45e07e120b2b8f4804f32e0612ad32a3d41aea7469d375b4d0024376e75115ec6aa9e3db57f293cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e068ec0e1e9391d2cbf07cdc0d5ad23

SHA1
0450af5806f4115becce236c30dd26faf5bc8f50

SHA256
79a71920bbd88ac5043cada2a8c204ca24772c77452b66ac302a7a1d5dd1a82d

SHA512
87c34cef4f51a498b901c6e1ba318f32c9ba9ed5d5f16f8f1fba109a3383e90456fd8029862f5f239f8e534225ae204979acb8bdfb77842b7ddf1e739d0c7882

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92e6db566e0b73b047d2f4737834efff

SHA1
382137a77f43c34492fbd2f8b059dd917a55903d

SHA256
6ba6dc2d4c59472f3e058e8640150f06d03ef92fa058e5c473781945e313cab0

SHA512
71b6289732a7abbfae699830a0b8e3a219633b023596dab5eed5a3956ac6fcef9aeb046bdb4169abd298be0f6e19fa3ee5395d0d14d84c4c51685bf8158c98a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
871b4023582f0fa3287ee426ec455683

SHA1
567c719d2b1185228fb685bb576e2e25de19b792

SHA256
fa57ff60cca486ac7b8099cf3c8a3034ebcb38f695be08320e35fd13cccbde5b

SHA512
bf425d2641e7bdc99733c2c1874958f2cfe2fcf3428e9624e7d225e7fc9576d18cfa706857342dd5744a89c56164bf69b11f4ab5ad6aae6e4cc7ecb6c8a6017a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97ac513dce86d59633e197b30a39819

SHA1
f23dcb87eeb96091efad69e536a38653ee9374ef

SHA256
b1f26b153ac8ba890f4dd6cb6389fbdff0274dd5bd933d295ee3c8bbff11c025

SHA512
5f1537b9238a30403ee22170bcf164852582d15518d3e62f33bcabba877803d421760f6f58c232f69419dea684f5a7d9aff330156db6666c9983d58dfbb90dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e3074897469d5a3dd8a4a3dccc2164b

SHA1
d6503bd058357a64f53e4b5f596db93ba47703fc

SHA256
edd9b4e887e15fff5c195e275a3ac4039dc9ccf75bf34360cd53c73ddfff375e

SHA512
8195802ac0666d24c005e9657f405c10c00864ae3f9569c6a58a07d3a2b8f1a1f802e98368f38254230b9b3a5788cfca12e041f0ca3d55880bec30e920ca3358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04616a5fca288cb37bf13f85312f8e8f

SHA1
eba00963ad2cb8c979b77dad11bcefa585ffcf5d

SHA256
59379267b15ae3ca726bbe6bc3ba7e36a4ced2d29ee62e85481a1c27a316a0b1

SHA512
b7f20cc685441d3a70d32974001525b02155649b43609f02ae13d0b2b9db76a70cc076babd16eb85e52c3d1366d91c1b3ae5fb9843cfed963129bbf65eb6607a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c9908a40c81409e9e28b53ad41a4c14

SHA1
5f31ca2f9e007e074acac28e36368205ac956193

SHA256
b1a12444fee0a94a99d612db986d2417ffad23c5428ec590c637f34b3a9b592c

SHA512
68bad40d6e94f4fd935d78659d96b791bc6f8b5d78a5fc5a6f409ad39247169039fca1b10da8a490e24c60906768e573261c3051820586c8ae075eba136572b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A47.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AB8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictor.~tmp

Filesize
7.6MB

MD5
cad221d5a37741a26f6484e947b178dc

SHA1
22b6f29044d87ddd5e03b17e0355a8ae28401529

SHA256
a3b767f26cb84dbe455615b1d7c3f6a5bc2c5d7fd27b30c6941c7b733e190536

SHA512
e324206e5b25c0dbc6088c26fcd620cb8baeeda70adbfd40da056e42207d26f113cc09ac8d75de8f5d10404f57876149288159123d2b7f07544eb4227b1e4202

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-14_9e5e962c28d2b4bb05a5c27697415866_icedid_ramnit_ruftar_strictorSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
c451134261557ae5fe1ee308d0ae1b98

SHA1
e55a9ddd2e3b3083a76d091b13748f55c2caeae3

SHA256
c5eb765654730a8a3dc53997549d97542b419cc5f3fccb9d4a487d1a04dd6481

SHA512
5e9606529d2fea3ac3932f7f08fddc13497f9b3dfe66d61dfa14a68cd37d12cb40dd2a7071c6d8db346cfceded2b2947ec1d3c0291b15d250b75aee7adf52be3

Download Submit
memory/2268-469-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/2356-39-0x0000000002AD0000-0x0000000003276000-memory.dmp

Filesize
7.6MB

Download
memory/2356-16-0x0000000002AD0000-0x0000000003276000-memory.dmp

Filesize
7.6MB

Download
memory/2708-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2708-32-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2708-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2708-26-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2724-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2724-36-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2836-23-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/2836-17-0x0000000000E80000-0x0000000001626000-memory.dmp

Filesize
7.6MB

Download
memory/2836-40-0x0000000000E80000-0x0000000001626000-memory.dmp

Filesize
7.6MB

Download