Malware Analysis Report

2025-08-10 14:19

Sample ID 241003-12jwxayhmq
Target 10af840c6fab21d128bd3358c3d8b567_JaffaCakes118
SHA256 d07b6e32b5993974c5662dbfa6dae23a623cf5f824451336facba3776d1be5bb
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d07b6e32b5993974c5662dbfa6dae23a623cf5f824451336facba3776d1be5bb

Threat Level: Known bad

The file 10af840c6fab21d128bd3358c3d8b567_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 22:08

Reported

2024-10-03 22:11

Platform

win7-20240903-en

Max time kernel

119s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxCF41.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434155192" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DA78151-81D4-11EF-B4D5-7E918DD97D05} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2172 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2172 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2172 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3028 wrote to memory of 2340 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3028 wrote to memory of 2340 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3028 wrote to memory of 2340 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3028 wrote to memory of 2340 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2340 wrote to memory of 2396 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2340 wrote to memory of 2396 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2340 wrote to memory of 2396 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2340 wrote to memory of 2396 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2172 wrote to memory of 2200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2172 wrote to memory of 2200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2172 wrote to memory of 2200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2172 wrote to memory of 2200 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2396 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2396 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 224

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2172-13-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/2340-15-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2340-19-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2340-18-0x00000000001C0000-0x00000000001D1000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 83f5a64a268f21c7c6d6dd54ce8a88c2
SHA1 61376a625d7d389c5c1646aa534f1ef3135da2f4
SHA256 c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c
SHA512 4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

memory/2340-17-0x0000000000260000-0x0000000000261000-memory.dmp

memory/3028-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2172-10-0x000000006D100000-0x000000006D11E000-memory.dmp

memory/2172-21-0x000000006D100000-0x000000006D11E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFC0D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFCBC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 604f99bf902a12f730c73e3252968ca2
SHA1 860be4fab8f90fe5ec0495c2a5a33875ba969c0f
SHA256 fff264ba0336981d4988337fde9f7b1944c5f9545c1d36488725148794d1b393
SHA512 ff50f2a2e4239b5905b9ac2de2e00ab1e04b8cdee000cce64b3c5e964b4b9b8f1c58df85c28ddf9058515910a8e0557ce4da9e956499b2f72292df77d236b200

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9a63928539edfec08cbaf08dc61a9e7
SHA1 ca8683d101e714f37666c3c25dc3f6fce7e476b0
SHA256 bf3c552372dc93fd64bc01d3ce0e1295affe1ca401ef9239473c586dc518bae7
SHA512 c48f6ad2fbaa2bdeae8c2b7a6dc5e577499f67236468df0f1b4f1015c44019f7a0a2e3bc21015002dc7c3780315dac4eabddee22cb168f44c350780df8efb907

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 309169894c830ed6fb64ebc85c18492f
SHA1 e436ecbf5fb3a2428976aa066755b1f38abc9d9a
SHA256 7f207c9d2cfee045196a287fa5a8274a6e4be9e23a6afdb0c23b6e7612ecc9de
SHA512 08580d75f9b838d38c40ca3a190445bf9de22f648eafe846c59e4d71b23a108702309a48feba8c2bb0b44e9da616f876e784c038ce14c443d0bae4bde366c2f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9974d336ef117b5cbcbb8b37b2cacf7a
SHA1 0036f0e55c1753d47e4ae1813a3788f884d0dee5
SHA256 f7177d6690379f41505d8eba942439ae4d25f095186a7cbc775aa419243e01cc
SHA512 6af3241f08761f6778a0811ef1d1ab9c7546febea9e9829e1842915569af6f693f1e62cf597551cf119104fc5ced02992023192ea04c4858fbbf613523babb1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 791d58fde355e361eebb34558823f0f4
SHA1 38f236e3c2e8c1f26fb5876bf3bc0e7b016065e9
SHA256 4c2a5b5f6449d7410a62909648b41cc55f4b7e0b634148214965a0a9734ff466
SHA512 3c902d54e7957e83e34c0736a06b74586fbffcbcdaaba92f8dad91b9dca58b1e72102fed554905fea5f50f2397e8bd6f134d0fccc320d6279733fa6c0a5c7df6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1580179cfa11a5ea4248ddd8eed36fb0
SHA1 6f58c54ee20209ddcb0beb9635369f6dcf64f48f
SHA256 144035a95c5cef1e31eed814a6631ec4d7aa0e7bcc7aca5c7f721ea4485cdac8
SHA512 95cb626ebc7ab6ffcb56974826304072d26fd648fae3f9a5655f7b0644e499f809d18a3b4626c2aa0b788368c8a262d62c420aeed519ff9e7d6249d203421052

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9449fd0439af3c5694858b01da66b4ae
SHA1 095395c01bca329d08f1a602d34f3543883b5dde
SHA256 53fdca380a0f5b360f2534683e77a4e4abfd088ace768777021ca19a91123785
SHA512 8dc26eb9e1688360bdee371c41ff52d4305035c8ab9f7176f5468d228372d8b4b997cb92d6fb850c30ce72425f334e1cedf2164f43183befc1b2f7fa06f9d9ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92463c7b709217a25d4dd6d7e84a5d9c
SHA1 4f51ac8a7a91c78ca07985ca5517618e4ef6ab82
SHA256 d222d30bd9c6189585b6087bdfca30c3eff00f11add8e14c01b2cbf8f0107dd0
SHA512 f3ea7aaf6ca1fd17021ee45b9aa4917a7461b8279bb36b097392c114e3c344658f04fc499bd7f160f9398f74b60af7396280bb3806a6d87af8353720aa4898a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d0b3126898d2eed414650b8f6bab41c
SHA1 d9431b7a3b66bdde2ba5d48aaf296e7c1c62c0cc
SHA256 3c4109b19a0b8a85b0ac8a6eb1d208bb4d03f7996b0b61f031624a96aba2ba25
SHA512 144b3a152884e3c755397703e6d9615cafc2a4036d080f76d384b526465928aedd9f28f381da48a5fdb11292af6619dc55647f467c12772db8dd70470ead18bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562bafbc0a1dff46a7f6f37af3a3b9cd
SHA1 43b501b9484f7ebe6a59c61e18a22dba15849294
SHA256 be4703f7d85c8ee538b0bf2465f2cc13c3216c57e643399410a42d77cf36024e
SHA512 6df8682b9636c32d6d2ebf9a531a328db5f10d5ece99e8e9e736fcaad24b99e0fed11651c4a3a232721ad8312739b6f074d7e5a49c41e607f1cec5d65f9825e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55e6e63895f7a7952f2a6c9997bae7cc
SHA1 37ff66299d6609949f1be24e74ec770c088ca886
SHA256 69e9a468e954cfe10abc7b522e77acb547c849ac2614f641e58582bebb06b1a1
SHA512 7a3d646490db4b4e899c69a0828620a35df608a52efc7d161a60abc004d97efda9edd21d4e8c76df6e973d377af3ad8196bc858971eb8379b6bf691e74bf4f6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99f670a11990697fd1c7b65059eca2b3
SHA1 ed674e52d86d1d641a47cd6046c4ced66587320a
SHA256 7a91e6f9c947573f515689dbb68641a064d675df15551b4d047a3290033c37c5
SHA512 5ba864df72f0a91ca912fc812fc295159f35b940d1867e418e59549379daeabe41c5fc464836ae4957caaf3569bfde4fe7e6c67151035154528601be9b6170c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2666768f469fac3e52a74c67057dbbf
SHA1 2f45d29ac335025fe97c2752a01c7c065260998d
SHA256 638aa4bc2cd8450ca8f194080e26e1afeb29164c1b8f888c58d1e958709ab5cd
SHA512 84b0096413e2b6cdfbb95238ad1dcf8339251e545cc552175c0c7d7f8bf3e4f1e01d09f744484b9dcfd1ec181fde7c83c3e7f311ccab7fab4d8d87eb734e1d35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 702330b0ebfdc0000a1b5275b951dd01
SHA1 785b86ae19e4d3b3aea888391b37145e403b9896
SHA256 ce7297b0198d69e3b2fa5fa7b626837fc7c31b7e8fb298785c5c7a0ee16e9ce9
SHA512 99acfcf6022b9993c9952258afe7fb214ae78674cd9110e9d3c714b1254a50513e855b0eec5e9888166956212404c2527a0baa84ef9157959b7e984d03d47c33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd9436410d93142bcecdf6ac45acf2b0
SHA1 2f8c3ae1fd9237ff5ba87969a22df45c726bbe31
SHA256 fd4830b2a477a18327c7d383b10eda55d7a0af05ae1b672fc4322705598c3b56
SHA512 2815924320aaab5183fc051470649cbf15a643205c640cb41642dde4f7ee0ee21697b197883d5eaf87ca0cc6eb84285e40ee9ccfd8f57c2ab2ce9cfc158385fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22e1cde03bb37d433ab551e164fdd588
SHA1 bbff722901a2f1057c5f359da791227093c2377d
SHA256 1a45442a0c4a54203285e0d75a5b34bd35959bfea42d3280d93c6f1bec316435
SHA512 fe29d5f1bd2055943dff481f1d0883c5e0239408075fb843465bfae4d194a0bd7355c0d798730abc080cb74fe7515910144f5c2eb0c8fac0d17c3a0c07c82807

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 455c3e4d619e61c49b4547b8167c40a4
SHA1 a00b868d9429dee292593f879c8e44d3ecd44852
SHA256 060124ee8fba1c16ef7380b120fbb05122e0948751daf263b0255f1fb767dac1
SHA512 3465135d89d2cab6c94f6316504e77f85a5b0a6c79d663c106b4be4a2831a582ea528f0c3ae10aac7ae4c0745f213d9e520530b7b886b27d7625ee07ba3f3f19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0687570c16bf6481048ebf4589a8fbf7
SHA1 06a439746355f3ccbe4ec0dbbcfcb11134e4232c
SHA256 9bd33f62e543571aecb1848c138f7761731b52da3c894c28f774c6c6c1e592d3
SHA512 41f093df8339f584c7b5aff04e5f8b6875d61ad71f7dc5f378f46ba459312aae20546959581785d8ef0542972a4ed450fc9299372e86248026f523dd3056cf5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ea598a1bbb0c970977dcf698792e3b4
SHA1 8618b297b703ef90d533420cf6c911a9a784d88a
SHA256 4408913d599c6d9f8676dae94f5da8082badda14a8e5a9e5f749fce7d2ec5ff0
SHA512 b1f77670801d2d349a9acd9ccb0c49ade1f54c98b5058e3e08a8cd692d131d0c7480e54198b7ad253589cabcc916491175404e3bd8c96f94e36b57288f1e1deb

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 22:08

Reported

2024-10-03 22:11

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxA9DC.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3853151487" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434758305" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3847370559" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3853151487" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{10206642-81D4-11EF-BB4F-6ADB259EA846} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3847370559" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 3944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 3944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 3944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 3960 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3944 wrote to memory of 3960 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3944 wrote to memory of 3960 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 3960 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3960 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3960 wrote to memory of 3176 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3176 wrote to memory of 3988 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3176 wrote to memory of 3988 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3988 wrote to memory of 4692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3988 wrote to memory of 4692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3988 wrote to memory of 4692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3944 -ip 3944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3988 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3944-1-0x000000006D100000-0x000000006D11E000-memory.dmp

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 83f5a64a268f21c7c6d6dd54ce8a88c2
SHA1 61376a625d7d389c5c1646aa534f1ef3135da2f4
SHA256 c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c
SHA512 4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

memory/3960-4-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3960-7-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3960-6-0x0000000000570000-0x0000000000581000-memory.dmp

memory/3176-15-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3176-14-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3176-13-0x0000000000910000-0x0000000000911000-memory.dmp

memory/3944-17-0x000000006D100000-0x000000006D11E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6de4427d02d49cee2c46a8fead1fafa8
SHA1 bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA256 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512 c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3fa81aacc2b7480f41623b3492df88ff
SHA1 44b09e2da2a46c44e254c925e8682a9cf9a016b3
SHA256 28b09bdcf83be6716a3329df98fd1cef5781cbea0992b2bf045a2a4efbe99629
SHA512 f7d8160fa957bf1af5a740b05e5e2e636a43356cf3f74173c73901c97322284ce72a7bf77cea9310ef3cae3064f1f5926bbe8e1e6cf5ed1bb5a00d5ba460fab0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2805.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee