Malware Analysis Report

2025-01-19 07:21

Sample ID 240531-v6tzsagb83
Target 87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118
SHA256 f60a3419526ee1d0632d51c086927fa6eece2e5a4909b47f7f681ba96b6f1643
Tags
upx ramnit banker spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f60a3419526ee1d0632d51c086927fa6eece2e5a4909b47f7f681ba96b6f1643

Threat Level: Known bad

The file 87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx ramnit banker spyware stealer trojan worm

Ramnit

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 17:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 17:36

Reported

2024-05-31 17:39

Platform

win7-20240215-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxABA.tmp C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423338863" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53C639F1-1F74-11EF-B20D-42D1C15895C4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 2220 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 2564 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2564 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2564 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2564 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2216 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2216 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2604 wrote to memory of 2404 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2404 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2404 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 2404 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2220-0-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2220-8-0x0000000000220000-0x000000000024E000-memory.dmp

memory/2564-10-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2564-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2216-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2220-19-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2216-22-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2216-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2216-18-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2342.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 650bf795d532aec859ac4d33d9209953
SHA1 c8721c58ac34a96f8d6ddc16e0d104d152681b07
SHA256 c6f11231fd02587320d1a212c3d45de98fd02e46849fa52fcecf7431dd638ccd
SHA512 ee33f7c1cec316662bbb1a2d55ab9b2b7516de2d54cb4d08301bb4f2157bc6d52235cd48ec584cbb9dac195c0995bd42dc46ed9dfb2e02dd7693d80d2bea1a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96dd19a5cba6bf3e7bded40038966b4e
SHA1 c99b9fd674edfc41eed380c16aa9126573de65f6
SHA256 1c1ea560e559bfc2980b22e03a6442dffee659ef342e3e3691f3f2df0d47dd77
SHA512 7001e68a4f244371f826ed2e0c74e4c715cf53ae228252192ff2d3af2b0144019da791b9eaaba627c960ee3c73b775a116cb4035e1d6272281ae4885a9df75e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55621525c703dc101aedf2e8729fe29d
SHA1 a382b3f7a5d3b735dff4a593fdbce7a72c63e619
SHA256 e97ec2eef5d2c8e57a41888248862ca4cce9c8c2ea4f3e7ab8cf5402504cedc2
SHA512 04fd384f257fb69ba340a18afb49bf00ca3c89ca0aed15723c9a89a82e2e5254d78373a47deb1b98de47366b645b952b719a5340e033f166d10414b114f2660c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 316dc4d38e4ef51cf631accfeaf7274f
SHA1 ddf09fae44e846a63e28724cf79cf69a5a6dc668
SHA256 36dad33862fbf0a28976e76cefbaa645db16ac165481e44a78680e23ef523590
SHA512 3fc7f0339c3460f1180ea0acd39835880dd6780f099048c4fea6e6a03cf12929753cfbe28980e4b2d192ccd3fc510396a8eb119d8dfe0eed09e464aabaa79823

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bca0fe23f9652eab3e6326b54f3749a1
SHA1 af1a4f6697bd068ea14fa96868edbc7994ee7ff3
SHA256 384e539389abacb7377ebc9f7d15f1089188b14cf6b51a8b8227a76f1641df17
SHA512 65768c5df26b3c0fa88c84d77dc9a7889330b4a969b0cfa5a92fc6d1b2c78fa69712b8645944e7f3ef2ed23d440efd3732245bc9773b491f812f3748bcae2be7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e7464fd756b9b76cb333211d01ad96c
SHA1 54bb82cc7bcbd2209301035b538d37c90789c8d3
SHA256 4dea6a0fc309942f0725c4c453636a18ab4129f60bdbb564477fae1e77a0a434
SHA512 ed7f80f2b42d5e978272f2d4094de1085ef8093f6bf46155152c965499e0fe0a486743699372799b1f82388af756b75b8e2faba42c0ea312679913ee46d15634

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd7b483a61b7a0fbbc01261726dd4599
SHA1 5f9f7691941f48edd91e99db212d4c2e827ffa6f
SHA256 b71e22a23096330f83f3b314f57715cc4a26886a2576ca74e4746aab27f2251b
SHA512 9d73a7c7d4c59e63fde7272e210556ddf55b176419d9857d59985b6028dc05c359ec1f86f03e6083ecefaa2931f35f66c149539b86f49249d0c7e80f902b7be7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98d7ad16023466df593223229b8c7918
SHA1 ac94b3571435322d9158ec7ca847e9ca68d18fad
SHA256 ba1a4560b7fd0141565bd4b5e23110195f8ac19eb0736e48d86410bab495dfd9
SHA512 fbcd1446dfbb677144f8b5e9c0d7ce1fabb615ba8b0e253e2356d761500361afa99c2a355c8f143c9c74c59d9caa26c859608173bfdc4c2b8c0b7c96e9b08fda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1070f47b59f8926e74e8a99b09338f16
SHA1 b916ef80ed0456eced5111c7b656e827f35fe2a7
SHA256 86c8e08b1739b1c97e32e3fbc426644b51eed3c13817c268907785fb82c82187
SHA512 fc4e002776ce20257cf933f4b8d65af16225c1b702033b4fe883d38436f8ded879a21d94212c6a46ba8588ef57363e73ce2d10f54b4d690d08c72208dd234293

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f339366122fddaacc8af28318837359
SHA1 a7071a1ec7e1621173aca52eda2f9b8ea623e38d
SHA256 dec2f929f42b76dfe5a47d89080abcf2b0cddeca9b2a059b9f8457cb05291517
SHA512 5d8d25cb61230829e36838349e6532ebfe2fc8c95a1dcdfa2f27ef1b4888603edbbf71b40b113d9f93ef7cb7f66e9dd561e9a798fccfaf06ee4c2166870e7ec9

memory/2220-512-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2220-513-0x0000000000220000-0x000000000024E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59290561bf5bc770fe82e6c5b02dd9ce
SHA1 b44d628fffb4a79d89e644a5924bc6e7c897b7de
SHA256 d8737c0af0048c98c8135591aaf71bb68598cbc73564dda116a47165d848193a
SHA512 717bfa3e7f495ae4bbc59a9c94ed2672a482c6712588217f6a78346899154934af39396435f7e299675a9e010adb559c01df2a828db0e0ff5542fe55c42aec4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 514aa2d7732d47f2374bbe34d717e34c
SHA1 f003a17b42d2c8a11a9113899b6a5109bee3120b
SHA256 cf713626b36628cb27610b6dbbf6aec0d17cdafad284dd3c81fe35b910496f7e
SHA512 c7a3df2e70fcef5f56196b5ce972934b7527a4c91fd1bab4413a37d89eba9d73edd0c88460121b637e96eec65cdfeadd019d466c7a5424a42a1635dbdf047eb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a921f2b8cf20e12af9f0baeecda1643c
SHA1 d2c4cae3c286f9c93440e58c851e39cb80af74b7
SHA256 669c9143d0b37fa1955ca8d9da29ef479efc83b4b6de46e59ea4e94ffb82f6e2
SHA512 d6be85ee7187fdef1956b3ae24670ab8e3f89076e8d9f6907825c7f34a3b970e04eacff85590d86823ff958e7cfea2245b9bfd10dfbca46be482c91bd32087e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62eb4f42893641246176f5f49935b334
SHA1 5265be8d7ff0c85eaeb552d46c37ede46e2835d4
SHA256 0de3a88d990ef393bbd12fe36158425448816688d39d5cd890dc0635cb60a1d1
SHA512 65c5865db5f309e392acaea80ba46583748d55ca1aec907b5ebc8e49bf9b907fc3f77cac115ecd2c22ffbcb5977eabb6dbe4c49d24df10a2353bd57e4a95bd0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfc99f38752d409fc43b08f9f38a7fa4
SHA1 358e9503c1c09eedd0d8f33e678ad84a27353d18
SHA256 03847adc1aa88efbc156723aadac3431c2ac15f5873b48a3cd9f70cfe9d1170e
SHA512 ddd0aa28223c0546d8e237579f3c712834ac4ab574ba24bf6058b1d85547a6257e94e63e9f12e801654b28a8f7c7e09c8b702f875a3b1d7687b96582b77d48f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef38298a3a7ec807b97982f06a7e9e1e
SHA1 6723a1b0d8b76020699b9a6fac6249be5eb47854
SHA256 3e832c54ad093bb7d9beb675b7fa80609b2965e4dc0cdcffe270de8d1f54bebc
SHA512 73d379cea1d977ad491601af0ab0125b10aee4d234c0a0458f5b304f34f15061048cb0328c688880389c7a6f257b0468ea3898813a9556cf3615d5d91cc398db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20aa6dad5aad49434e8b6d167ff64404
SHA1 56c0de053a06712428ebd56127dfaf4e756206bf
SHA256 810d7df80d014b07123aa2e8777415881622c743369c6b1a6d5b7f0b5c70096d
SHA512 c760d6165abf4b4abaaa642f7ee82238a6628c8644b764c9c74c4be8edabb5128b11e79c36cd39e786d90da3f5ad3d6cad3f19e1da914cce31f2e0489742bd03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e9439cf76562a7e170493668e70fec4
SHA1 d6b9a657bb4937df017569f6f00d9cbbe654b38c
SHA256 9e460b1f9669d48304ca5936982b08ad7f5d9efe95ae4ed370e12a492e8b0475
SHA512 a942ea069ca6bff63b7f0679f47a87ce9a3f1ca07cf7a186f93cc6a82963ed1731d053641a94dda681578e456361b7f19115a49ce845d56bc289b29b77f3d3ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ac38d4c3baf4c7f841b807ba3c84d6f
SHA1 dcd01b4b33198a841332fbc26b085913ed6eb992
SHA256 b9211c9fe244a6ba2a50f4445d97e08d9cd9e88d7c7c151fac8f700b64459187
SHA512 51200c2d83ba6898c595140f432509061ba683e6077caa39e9d6f35cbe68b22229cc7c12b17acae593ef8f5ee179de8cadab35f4a7d35a428120f7a2f1753702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8655ce88734b8269dc24c45f54d1d2c2
SHA1 cbda20438bdfebbf3b4766e5fd031523176e358e
SHA256 7eb0bb9d52c3939d9517e10ae81e20f84c99c74f75253f438d111a0822cda0ed
SHA512 3c0459cf8ae8d542555225f5a3bb151bedf74005cde0993ac2a0376f88937ab5832418827cd2e9cf12e02863b640130ea0ebcbdb9f054e44cd5ffa83bb6b6f2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ab7b03848efbbae272be820d0f00f7e
SHA1 a06303b39b8b7d522e81b0e13c062dd877d023d4
SHA256 67fb1dfa9457b65a385279dfc37d11c04fb7b5b52ec1c366a45776f1c49c92d5
SHA512 44afdc0637baced53aa4ff445df2302b82916b063a1ad37aacf7e44ced39f49ffd660bf84cffa410eb3c48caa9f59291584ad492705d5d7196868e7912e194dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 17:36

Reported

2024-05-31 17:39

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px7BB8.tmp C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "696489212" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{54F182A7-1F74-11EF-8FD7-4A9F9762F996} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110017" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "694770883" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110017" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "694770883" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110017" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423941972" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110017" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "696489212" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 1792 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 1792 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe
PID 4748 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4748 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4748 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3520 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3520 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3228 wrote to memory of 4692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3228 wrote to memory of 4692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3228 wrote to memory of 4692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3228 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1792-1-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\87c7381ffbe8103cbcbfddbe1bf3cc2a_JaffaCakes118Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4748-7-0x0000000000660000-0x000000000066F000-memory.dmp

memory/4748-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3520-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3520-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3520-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3520-13-0x0000000000450000-0x0000000000451000-memory.dmp

memory/1792-28-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 c6440d653995acea2a63cd83b7c4d444
SHA1 5c5b83061ac0f31ff83d3a472fd77899c3bab3f0
SHA256 73e12cf5c60f5dc8dc6ad13d2d8581e5dfbbfdbd3848caa564745c19bc584d37
SHA512 d79dc9496f78dc4eb8d0376bcdca421ed8b8fb8653f654d7d3ae84afa05bbc9571589413677a4d989a04558d3bb2381ffcdabb639ce231ccd7e0cd558696d75b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 91a44fd42c89f15c1f1a3bc7f26a6a9e
SHA1 708952cd2ea8ab247823eb5048ab6114929bcbf6
SHA256 1895ea7c0548a28453f6afb64eeb008846204caf05583a5fc3651017e38b5922
SHA512 568b236da6a238a1edf25367eab70a8f98e9aa608254ed52baf4df946bd8111411776ef8e54ed9d44dc0b2e3548747d5935bea216f1ea304ec54656f025dd6d6

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF388.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee