ramnit | e68b5ca4aa7e35e08411dc1c05cf33b0e50c9287ebbffdc07750532fca9e33c5

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
Size

7.7MB
MD5

d2f8802580c4aeec563e44c42a15f7f0
SHA1

c73ad943787072f1014a9c6ac6b57dea622508c9
SHA256

e68b5ca4aa7e35e08411dc1c05cf33b0e50c9287ebbffdc07750532fca9e33c5
SHA512

e77d017a7d60b4760bdd03c7ebb86e1f4a9ea1e6a218f73558ed5d4a3771da69004657a965504bc0909373c587189fd9297886884ea92b313cf374c6ca64acc4
SSDEEP

49152:r70vVrYK8m0TzBNMFcUVcAYXnGYXPNd2kala+yihdXAF/edvoRFRh1Z+WD14gkz8:rwdrytXlposN/I83HpR7h5u

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\lsass.exe	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
File created	C:\Windows\SysWOW64\drivers\lsass.exe	lsass.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.pif	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
2256	lsass.exe
1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
2868	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
2784	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
2868	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00150000000170f8-17.dat	upx
behavioral1/memory/2784-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2868-29-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCBC7.tmp	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443036141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FBC26C1-D299-11EF-AA78-72B5DC1A84E6} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2784	DesktopLayer.exe
2784	DesktopLayer.exe
2784	DesktopLayer.exe
2784	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
2256	lsass.exe
2256	lsass.exe
1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
2176	iexplore.exe
2176	iexplore.exe
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2256	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	29
PID 2248 wrote to memory of 2256	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	29
PID 2248 wrote to memory of 2256	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	29
PID 2248 wrote to memory of 2256	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	29
PID 2248 wrote to memory of 1664	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	30
PID 2248 wrote to memory of 1664	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	30
PID 2248 wrote to memory of 1664	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	30
PID 2248 wrote to memory of 1664	2248	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe	30
PID 1664 wrote to memory of 2868	1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	31
PID 1664 wrote to memory of 2868	1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	31
PID 1664 wrote to memory of 2868	1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	31
PID 1664 wrote to memory of 2868	1664	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp	31
PID 2868 wrote to memory of 2784	2868	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	32
PID 2868 wrote to memory of 2784	2868	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	32
PID 2868 wrote to memory of 2784	2868	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	32
PID 2868 wrote to memory of 2784	2868	2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe	32
PID 2784 wrote to memory of 2176	2784	DesktopLayer.exe	33
PID 2784 wrote to memory of 2176	2784	DesktopLayer.exe	33
PID 2784 wrote to memory of 2176	2784	DesktopLayer.exe	33
PID 2784 wrote to memory of 2176	2784	DesktopLayer.exe	33
PID 2176 wrote to memory of 2992	2176	iexplore.exe	34
PID 2176 wrote to memory of 2992	2176	iexplore.exe	34
PID 2176 wrote to memory of 2992	2176	iexplore.exe	34
PID 2176 wrote to memory of 2992	2176	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\drivers\lsass.exe
  "C:\Windows\system32\drivers\lsass.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp
  "C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1523bbb4dac7f9112759ec02ca89bdf5

SHA1
9e284c07ede92ae32ab58858cb9e750bbb506e7a

SHA256
2d25ccec9f435207aeed4bb9fbfe837be187168f74ef8ad9ecf2747ab0cce466

SHA512
421134c5e71426d5313ceda95cf15c312bd6ac0ec9e3bf9735d4de9090ca64161eee3dd6a57ee2d7cbecbf11394e74668351a2ffca9bb6880322f87b45a3f1c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a5b37fc8e556d49c580bcbcb7fdd780

SHA1
15df0cd4f3670941439ef0dffa2f7b61cc395660

SHA256
dedc7e239ad09f1af78146ae9714de1f5c6c2ab213c94294257048331216c9ba

SHA512
77f7cdded16981b326eefe9c5cacb6bb3ecc827ed959650c8befca154d181f863932695740d02e9f1c75e02d7e1c9f4d2a910ab145f30276f9d8e0b05aaf2696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26f3026e4ebb2bcc9c5c48e2b35df74e

SHA1
680761f8e0eeaf11af3dfc4b65affc46b2072840

SHA256
b34fd73b5e8b96f4aabecf997a473bca93967e6c4b200bb7690460a349e0202c

SHA512
706980d650a9788788403ccb3413e01660c6e6fc9759c86ff645b1229edfd75a0777b683205f6ac6e7c208e1fe40fb9cb0ce149ee04e5d773d93fd97622a7538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac0841220cd7790f2f5529118f97464a

SHA1
203fd3bfd6c95e8976e099f49d1c363794844d73

SHA256
ef7784aa6bae43e02ce9d9692756728ed484a1c4c14f4c1e00228396aef186ef

SHA512
40520878b14dca598399c3e8fcdb4e0239b9bb1e0adabe021072353145da0f38ab8d0a9906c6d857a7d8edeb28b3bb23891bea8b72c1ebd4365b164aeaa111c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a1dc5ac7ad7a1ff2d9b9870140ece8f

SHA1
2437fa4526ae21158dcb9a4fdee1eac4325301c2

SHA256
0379b1cf4ed076e345aae5f6a0185cc3828e85d80e4f2da3f861ba8a892ad8a7

SHA512
c66cc09155f79d1fd590163345e28e572d7f10753b23ab99931ff303af6563ee981db223b95d8da739e799cc009892a2e0212f3ccff08eb4fc12321cdc956553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
620ca226b0baca6bdcc1137e99f4afeb

SHA1
6de35cd959376ae7d204bbb55919ef7ea6f19f91

SHA256
a743a46ec30e3760641ae54ea91ef842e1eb05dad3d39328beb0d103fd9163e4

SHA512
02bdc9e8f154157fb4ea497ca40b7206c9f76aa7ad8073594da8e335f0715e6c30d8216c0ca3917eca7c1941fb59b78e26bfce6f6d2c6a04af46cefa6982b13f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fbb9478b52ace7e21d756072f371064

SHA1
94d0465680ba2a47d1023856944d7ce7aec7b0a3

SHA256
025d4b7021d6798c1a003f6a350df5eca634061ddd421fb85df55902c11612cf

SHA512
5fe6b0af3dd3ea38ce0ac4ee4b53397a6a3f132403134bf3d5705db34110e9ad5c9c11f143ad6d2c1ebd81a8b5639f96ab9e0fde6c7fee2815efff8695f3e098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8e954339468d3b2b2eab9e56fa0093d

SHA1
569655ed53c229bb5ca60ddc6ff3c565be0d60f4

SHA256
4cbfd0bff5d8ac259940228b6d8e1c43077dbf19b040f7b309a5f72cf110ccbd

SHA512
069326b9ea893a0f8cf25843adb60692903bb1c99698fdd0be56950f710905b5f932950a069c0bac62d4ab0a5b49a167c3a20f996c7f86f8b4a56433fd95b112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d51d888f88ea3035a7dab33d0a85073d

SHA1
5e602b2c6dca0a908370939a1aec9c9d23f08a4e

SHA256
fc5551292ae09cc8de6a0d8901b16f78e91ab37b94023c15649f6953c74f26fa

SHA512
6cb1b2c509e5480407414397b2cafc0c9cc6215b1610d9bdcf09b36226e4dcf69b3ac56768288110dc1f85e90f1dfff0df6205d2ec0096dfa253cafbf90053de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67652e8213eb958b003ff129f24ad130

SHA1
3c252b2d5dd473cef5847d20624e16cc843862ec

SHA256
340315609d9c78aa268c3844d2788bc897ece54eea14909fc47313de4e98c388

SHA512
d69df668a92d6ca3bda39f9a4005fccc091f8767a96a03097b2e220da61f62d305adc29652667338d511a8926629fec6d1866d52fb337a584843dcb128a6cf7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
417ac9e2df5000b872757984758bf337

SHA1
5d520e078bf6979d9ece05ad695065dcb65013dd

SHA256
0d0d7bd9f293fc17c15b8dcfe01ba793186bc8a5fa6bdef735a4cd061ef96c11

SHA512
1428da4cf198cf3d7aa5f37c3f8a35e8b6c0001e2aaf5d8aea0f3c130bb7303a037b625baea2c9fa5ebf5125ebac40acea3cfc66b6ea2242031f5da4d78e966f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7c4915a74fd1b5d805d85c757535f1c

SHA1
6f69d023a61051276660d62b4193e8d1bcfac1d8

SHA256
549a8dd7a66420dc9c94a432a50dd4832af0dabf0b1ba4d4752a1d076d695b12

SHA512
99d7535318cec09a65db54e4cc84989e8b46a3ea92e77d0d65dfc7122495f3ecf1a33cbdca441e8331c23ae30c127a914f66e0424dcaf17f92785732938b2b6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0256e97bc16e56238a5c96789a82eada

SHA1
b0e943e1e14077681782179b902fe81754d405e2

SHA256
95d93332ab00333be7c47bc147d3b639a114d84ba44f6b21c4d56ecb31762ceb

SHA512
892d7754426d9d7c5b20410841c898981d5971af8fc10b6d36665e225fc8c41986a382e92d8a0aedb3171548ece3821d0844c925772a61ac1fabff12fa1c25eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c31591f035615941c063f30d6854c72

SHA1
534ee4f5eb2ecdbdaa1edc1b31b2852d35401b51

SHA256
4b4a5c59e97e3fb5b602db5dbb5bdd37fe2d763cb651855c1fe34ac66a825431

SHA512
13927781c4b342b18a0d73b208961eb2124067e5885ee478598b746ca05ed0721145c28366ed863773559f33c0c52d24971f0be36f7b1d58fd8648d75d895edd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
139e1c0f9e277439e2914d415ce220b1

SHA1
b2e6e01377f49ea11930c500e895bee8a4e27d34

SHA256
e0b7c6164651d66276b4e9887b5db02dd9cb27ba3d6bc5e3963cb034111991c5

SHA512
53b83765509323d70a8823d576234656c599479077c93c1c7663e775f207d2e79f9d3d219024ba5ffa7d60015a428ba4f8af92a16bdafcc414719912ff036825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbe4441ff02aa7c9c4f14f561ede177e

SHA1
076e61af0523fe3e6816459d0616635a5ba8d9b4

SHA256
c198ba3395c990e964e7ff28266d790426da5bbac2cbeca7103f66ac9d409cf3

SHA512
d269a9b7d068241a72e107d9a45ae3206ec216f982d436f6413e971d8fae7665eab2e69f56f885e71019bceb3314674f6877ab4f004b98d8190478fce782d4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4decfef86257f5fc53dc85c70e0a9701

SHA1
74492491e47b251f8d8c00422a2467203223a31c

SHA256
cd7e3d8b86dabdaaf9ae299c8938bd53893c4dd8f617ee5029f863ff1f2ee8ac

SHA512
b362112298f4e520a609dd8a5ee03df1ad2ff572c572b9a171f40ffe12951d41b4586208d9192cbfc3caad8e00c5a5d34a65655bc995905d830cfcb39fa326e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd9173b1230c0aba60c35b0761f838a9

SHA1
922bd1028250bda0a03fe61ab857e21b2ed0fda3

SHA256
3a2aca363452ee40b8eb4e5f541a8d9d5ff6fc20bda94b321dfc8f8f4ee78d30

SHA512
5353140f48595613df86aeb6378cdcf4ffcc76690e1eb8d6db4ac2c8c246a44e4b1b112424b1f117014d6f7023dad73ec57b5a8c995148684f652d2921f6970e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c2033bd0032d1486460e665354e5d2d

SHA1
8514fc0eff058d43b4a6e878ccee1d3b3a06ce01

SHA256
b8a3e1eb36ff860715779827ede7550cb3a72f2bc19b06336496a06e6575aca9

SHA512
3a36cc797ddb93fcb36c7ac17abcbc1a775cfc0df2e804bcba3f41c4f670480ee62053e3a025959c7600f6576b6d7a33878c04db8e4e6edf6d033935ba11cc73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b06977451bb13717ab9334027016a7c4

SHA1
9931348baffbbb1ee562831304b9b3e13ea6040e

SHA256
e03b45447f2d8aecbf4d7bb83d8d72e5ee9d98d9b41c6b5900444c08fe189628

SHA512
a0e69eea49689332e7a4e879c48f593f4c541d2e5ca5d93828b33081be83409a70465560113e9f2f85daf6d0b97baa468ec80b61b5335c6035c6f88d4370ffc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d846511b919759811f2330843ce345d1

SHA1
dfbbe14ffa4c1244278fdd4e54a17b40acbc6041

SHA256
cfd668b685044b20b66eb0e268f24679e4230c885a28e790a538f4693bd383fd

SHA512
470482548f06ff075732424043ea126e671e7d65a107925377e42355aa83636171cfb103a26f5ee0904e879883385150350213591002947f978310dd3a02cbb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a635bb245a8a80344bb169f87d68647

SHA1
f9f8205c91f66970a07e413893a91ac1c2492898

SHA256
d65baf4bf94f68f3c0838cab536ccb0bf5dc9c6016078e06ef3b1f5d675ed9c9

SHA512
9658997822aee4dd91509ad55064f4e2f17a4d0ed98e9106a0ddf808cf682213a7a60187b7d7ed7a26f92fd5600544eb5d31521140e637af1a55f8934fbe6b42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebfa8ed3622d804d3fff957dd8391bad

SHA1
8da24e9cb7c3765a81e4b5b5011e2681189ac3c1

SHA256
dc6b0e437cb90382c4932409f80d7d8fe21802328f8b4b6eea270f70460b686f

SHA512
84bfb3f034e216499c1610645583a5ae60de9037d2ead34117f83fd0fbeeb581bb205892bba3a00e00cf331971526aba2d804a391bcebdcec5ba1b4f4ce4c351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6704c5d5fcc0608ad2117d9d2e699adf

SHA1
3ba01f3ee2bfe052edc650fa9e2d504a334990d3

SHA256
b79f54c1ebe85221e39d0f021c3d44eb1ec7d1585ca1784b0cb60645407ebe70

SHA512
066e1527d355c140fd9e53e2fe45c667f081038c2d36fa4d95138330847c82e4a0a7f97a07469a94582c6cd2a45f86d3203219e8da96bb0ee282e57daf329d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE746.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE7D6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictor.~tmp

Filesize
7.6MB

MD5
c596fffe583a2e74e5659f83ca156428

SHA1
8bff8a12d03b29c830e114df5388d82692321a1f

SHA256
9c02716bf7118a3b53232c810d5cd659d0d4304a1b32b73d3558d95c8e1a8b8a

SHA512
9dd11abf9aac4b9728c9ad5bf194d4229dd533021326f47c6d8fc6623a2be32e0849ea5d46acbac2ad4226f4c5b989cfee17ddc6b06ae339f13bb36547e1a408

Download Submit
\Users\Admin\AppData\Local\Temp\2025-01-14_d2f8802580c4aeec563e44c42a15f7f0_icedid_ramnit_ruftar_strictorSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\drivers\lsass.exe

Filesize
32KB

MD5
c451134261557ae5fe1ee308d0ae1b98

SHA1
e55a9ddd2e3b3083a76d091b13748f55c2caeae3

SHA256
c5eb765654730a8a3dc53997549d97542b419cc5f3fccb9d4a487d1a04dd6481

SHA512
5e9606529d2fea3ac3932f7f08fddc13497f9b3dfe66d61dfa14a68cd37d12cb40dd2a7071c6d8db346cfceded2b2947ec1d3c0291b15d250b75aee7adf52be3

Download Submit
memory/1664-28-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/1664-35-0x0000000001290000-0x0000000001A36000-memory.dmp

Filesize
7.6MB

Download
memory/2248-27-0x0000000002840000-0x0000000002FE6000-memory.dmp

Filesize
7.6MB

Download
memory/2248-112-0x0000000002840000-0x0000000002FE6000-memory.dmp

Filesize
7.6MB

Download
memory/2256-465-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/2784-32-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2784-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2868-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download