Malware Analysis Report

2025-01-19 07:07

Sample ID 240626-e7k59sxhpp
Target eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7
SHA256 eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7

Threat Level: Known bad

The file eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 04:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 04:34

Reported

2024-06-26 04:37

Platform

win7-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px4B33.tmp C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72332F51-3375-11EF-B47E-DA79F2D4D836} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425538368" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 2416 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 2060 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2060 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2060 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2060 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2292 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2616 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2616 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2716 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe

"C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe"

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2416-0-0x00000000001E0000-0x0000000000204000-memory.dmp

\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2292-17-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2060-10-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2292-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2060-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2416-8-0x00000000000F0000-0x000000000011E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab630A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar63A9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14afe4b0be720ea770819f972a89d12e
SHA1 ff486017d3e68aed279cd2afbe6abcac9d5f2803
SHA256 71be51ac6eb3df6e95090b5b8d86bcbf36f72f182ab605602a1b16939812b8cb
SHA512 6c95785b07305007f5f3fef751dcfb68c6c905c357412ca3305f1ec33ab18a300dc8450891c35789f3ba0c26b2d5247b930a31354c7a9bd44a59b3609fcbb8dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d70105675b2d23a852e6b4b5ed167e9
SHA1 2094fe3b18c9adec1a3f969f293ef00402ed27d9
SHA256 2bb2bf56bfe0705885ed30fc2d2c42b81b2a27258c4418179db984d68f0e033b
SHA512 6efc13e0f4dc4b9399d8ea4636484ff0e1536f51ea3bd26d71a4d5bd86f272153f7d77f2584cf95e0741522b46e8ce903aa532aef37f1fc2418f2b669c031970

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4eb7a7a1bceacb61127eb64a24f8115
SHA1 64700e0e05b690ef1866f1b3fe4c2cb0aab43967
SHA256 ed5e994f50faa9eab64f054efbb0191c595d7ed15d4b62c48f614947cc7c881f
SHA512 5d1dbb9dd52d2c8996ec53f46bfb3321b4c9bec4152cc64990e10b07d1d388dbd91d220a5230aa8892db43980053626fd4324fa98fc41d297b0a19bfe4c50c78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35ac986d7cc57a0a5e87ba37b07d6100
SHA1 517c213e4692c1d3822bb1e744466e78ffaafad6
SHA256 9544d0be50e9dcb0dac12973db11ce24213ee620720b9f5b6298b5783b3698f5
SHA512 3cb1d48b46227723a4f52d377470fb209f2aa9a947b84e34f9315484778251faaae22828a2684a0859002fd0e65fb4fddf879912d9a4f57a03b8eefad5daecd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fe20d3d69603aa4ed82ac249943a9ba
SHA1 f63c89e913dec615568c7a38393dffa2800a234f
SHA256 e6e4245ff32087a782036913b51ae58892d38b5d2d909f1b0f621d90d9c1c75a
SHA512 679f458970f2936378543f509ea574f0f6bc101b9470ae96f42dfdc3f96ff901d06ec6d6f8c22dfc7a0c727883aed558d33014cfdae687365d8b13b77c9b6549

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04647a52559d0620a811869125b967f0
SHA1 a8de51b6ac455fd18306ad5ac72a1b5b04f3e04f
SHA256 a1c5c01cbdccbcbab8f56660b78a83247c82d2d9e3b918f7a0d25397b9864616
SHA512 071793cdac0f0943f774c8c0a6fa0d7ea35a6eb1c6b96388f80d524c854efc922fd14db5c6a081fc606c1f0357ea1d2b5a4a0f94e87a6c8ffe8348d8049b1dba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da521fe55ad44bc49bfdb1525e54fb2d
SHA1 3b3a866d08008528120f8a26f48c54fd79241b21
SHA256 cc45cf7ac280272f18f05783f63855f3bde9e05b06d3265d04e59521d6a445b9
SHA512 9ab4344b8b34894ef358acf14ec67285d8c646827e7cb2129253064e74b04bb1fdcdb73161d1b6e45a03be205b8940ee7efb29320077b37f3ac8afd0f0d8f629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26d48fff0feb491c16cc8af4d8d32a06
SHA1 616fddcce4aa96b03f06809c57483e40c105f9a1
SHA256 3cb17038c168060f4ec9457531eb117111f8411edfecc30af3b30107b380f979
SHA512 21df3ee5dac1591b7a1136a0e03c27b5d7f38d75c5d7e4c5104e4fc658d18eff1d5148fe4ae8f8e8d629fc8513a6c74130c44d0e95570d3f48a0bdfd166430a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ed55cc6e6d5dae98be018f8ebaace69
SHA1 0e22fffe823671d99cdee684f635dad57d0cbafe
SHA256 ef0593f04071fb31e6928169129c4c92b31543912def30e37189aee145c104a6
SHA512 98c04bb4fb586bad8698da04f8a14a5495f7e38b0a0217dc0e52c3ce6614ccc729ad9ca284f43102d89221e9645a35bc47ec8c65a66ab478edec517c5c1923c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d94023d7f56d695b97d503d9c16b69d
SHA1 5f5f559b758c97a7de916edef80c14c6fb417742
SHA256 c556fa2e34ca9c8553bae616c72b88b6465f970cb5f62e0e486825456d0061f9
SHA512 2cb6a9b1474fabf6e71923ce318e02f1017be1b3b925f74eeb2c42b6f5f8c50f8ba700b57f0c355829a3dbbe7374512d19dd8b31783d6ab2de578a0663b6833f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0d36d6cef4f4f9b6ba4cc2fe3480b9d
SHA1 ab093600934353017ded7d2afbf671c366a524f0
SHA256 d0fdafcfb995ef00cd52600178132312d68776bdd74c9e9868d70c6751c1f6b1
SHA512 7173274e9a26e893da3c2d94ecc6086e5ab5cfa34e035fd904f1aff230758d663de11bd1e423fde90cd06df972c55027c1cbb29f41d4089d002b984cdb0b4e0c

memory/2416-448-0x00000000001E0000-0x0000000000204000-memory.dmp

memory/2416-449-0x00000000000F0000-0x000000000011E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ebfa25436b1cdf5f697f459ac632618
SHA1 e1438babd96bcc03b80e127cbf15b4b8cb374d23
SHA256 232cd68dcd64e9029f569d6f44a8813886cb42fd3b761b54f53a7eacf0ce71f3
SHA512 cd2511db54fe3b48f3438da434265c778d4f501fe91bae0e166516d9b21d44ecea25d5da9cdea31bf6073a9485bd5b8a4c36f8b77f408aecb2ee23f60fc2ee85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83a80d148938c16039021f2445ba5f70
SHA1 87c1664902224e97e2e633ec2c89296b1ff4039a
SHA256 530bf11274bc55ceacdbf4ac0a22d44b09b04b3cd23c0fa08050543d8b746412
SHA512 8442b41b09cea0a993d4dea96ce34f3af23ae66b050a426448a04111affa9be6b5d5a14c82ac57cc534503451a302ca2dfb92f3aac0503feeb150f0874074147

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ced9a2ba042bb4c26c555a66291b569
SHA1 be73fca67894324edd244af3b72f556bef9271af
SHA256 3d9d7bdac15862ff8956402aaa4d8351b25ce5d3a10d3507b36b7dcedb78a124
SHA512 e55a1fcc6f8136d07711e0513e95089e927481aff7b188b6e7c0e23985e8dc82c8022f55fd00e40f59067663d6855947610d1f5d25c053d3fe424ffde22b2b12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05f30e2ca47c0704624ecbb1c4d3ee08
SHA1 8f2d0101193bea096911f34d411b20701d9fa010
SHA256 7be72f27f93ada28d4c9d33e7db79b77a5cc668accbe517c01291ebd138ba2c5
SHA512 be1ef668df57c537bd90b74ff17b411b6fbea7cb6f45db9382857ab7dafb8e5195ea6e50a870b9dd772aad6c719ad782e5881a1fa9fb42bb57afc93e79c5ac3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b60dfcccf724c35d4e4cd64026c0218e
SHA1 a67c56d1e30875ade48849eafe7d11ea9d4cef57
SHA256 65620a82f4946f0a130995dd8a72c80ed3e9dc43be46dc404705292319b6c223
SHA512 8575819b211d015ee60abcb54077e20baff1b6987e2c82bf4e03bdef403d643c2cbd8a794b41a3bfdc967b6cf4643a4510634cae685c00f998bf666db20e95fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c20453a3854d82d89f941b899f61d3dd
SHA1 d40280149d824da9e076fb55101ac5ba88c3c114
SHA256 7d2967aa4ca59b0614b46805ce6f6397ffa5bd5233c6eba0ac25db44ab2ff98b
SHA512 6a1e1df53fa74004a20f6dd54f17f6901b90ad37192514725891e845a35cc719c3218060daa3ab33f21e8ecdec4eefb924c88dcd9c799c1dc9c169e78f6e90c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62c80a858879fa5536032c4f36cb09d9
SHA1 9ebc276c00dd2ab80ad014a97a5132c78cbebe2b
SHA256 c7a8c846f18768e961f1f55e5c91a12fa370b620777343f7781233a05735323c
SHA512 f1a20d9986c0ade65232be8c813e2dd9451ba8780a71349660502f564297814ceabf6af7ddcc240d243c5b5f744f1255ae50d11f05647c33289a833290316953

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd05d9015ac622987b7a2121cefd0b5d
SHA1 c1afbeb17509a88b2b5fd8d354f67ccd5956725b
SHA256 eafc3b356bf1cea90b2b0ed00bce6f9f63bca0e669f5a564ec6b74d45d918280
SHA512 2c3b8fabb2f3d6aee3bd459aca135be0667b66bbb0cbd2453f768d49d871a88480420721f0206a9353ff268cd67de1598259ae3f6e6e1a815c31c65cf0a4962e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbcf52ed167769ed961d11ea82dba1be
SHA1 5e0353f752d2e12dc1241888ecf0e910f8b4ab20
SHA256 652eff8f273739d3a4f6aefc968bde8bc04ea5c52cf4dc43360f168a797e9c24
SHA512 722f18bddb33abe308bf08f954b2cdd62eac75f17c9c703ef4bbe2416cdd8823aa04445238548bddf60fdd9c384e1e789cb206efe937cc1dca7c3d1225f78f5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abd7b7468dbd3e83fdb353bd2b2de4ca
SHA1 f9d36de3765f5217f1737dc2fccd98143728bb51
SHA256 8078338cc805ae20e1098904ba31be53d928ff3ef2345942ef4dc05d081a9786
SHA512 d9e238cc83a7b6dab114dbd6222cd156e7a1dc96cb595cceccfb826ddd39925808d4fc9644dd5688dcdb02de2089f0a2efdb941695f6d42647ea29003f50a99d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 04:34

Reported

2024-06-26 04:37

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px5592.tmp C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426141472" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115138" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115138" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{712439DB-3375-11EF-9519-FEF50CB5D633} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1166606505" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1166606505" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115138" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1168950168" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 4680 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 4680 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe
PID 660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 660 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2648 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2648 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2604 wrote to memory of 224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2604 wrote to memory of 224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe

"C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7.exe"

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 adnetwork33.redirectme.net udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/4680-0-0x0000000000A60000-0x0000000000A84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eef68e025ef63426f5438cccc9ea7ad2c8f64a4916b3756b533eb0e5852ebaa7Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/660-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/660-6-0x00000000005A0000-0x00000000005AF000-memory.dmp

memory/660-5-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2648-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2648-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2648-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2648-14-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/4680-18-0x0000000000A60000-0x0000000000A84000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b9b9f42ce6d2b20bf169d05480d239d4
SHA1 32b094cc2ff79f07fcd68d585846b919bc350e4d
SHA256 4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4
SHA512 36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 098dac61b850f697187bd1124f5a9b0c
SHA1 34765f327b9944f80d066b98a1bf63341062a17c
SHA256 979ac48883cdb8013dabbec6a75b7ad15c6951c800e942e48cb3702ee5bb97d1
SHA512 bb665165f67627f57fd116aa5489b209b0e872a6937a4b409b1331946c382bb00704d080b30947294e7cb931b245dfca82865f827294bfd6926a28b1596ade1f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee