Malware Analysis Report

2025-03-15 04:33

Sample ID 241026-at64cstrak
Target 1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN
SHA256 1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7b
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7b

Threat Level: Known bad

The file 1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 00:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 00:31

Reported

2024-10-26 00:33

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px9097.tmp C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1923964464" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1923808433" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139646" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31139646" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436667653" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9E05D60C-9331-11EF-B319-520873AEBE93} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1923808433" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31139646" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1923964464" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139646" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 4804 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 4804 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 4656 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4656 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4656 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2052 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2052 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1108 wrote to memory of 5028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1108 wrote to memory of 5028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1108 wrote to memory of 5028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe

"C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe"

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1108 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4804-0-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4656-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4656-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4656-6-0x0000000002040000-0x000000000204F000-memory.dmp

memory/2052-15-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2052-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2052-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2052-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4804-18-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 869da487f57ca890b7d5508a1735a336
SHA1 15a38ff912ccf3fb2719f518430ba3ea452ad681
SHA256 995890a58d52fe3408904ffe71aa056344353ac77a62cb68ff7b4654a586cd85
SHA512 59468bcd6de396717b1a6f0535dfd49bb6782214fe20157a5bbbec67df9a501efc24d872fbd9b14072a82b91647a6a95250def65fdfc126e11746532796506bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b51a34b2a0f62df2579b658491034a47
SHA1 201b665bf031e09ab3ee4f8839725cee151921da
SHA256 48994f82409a33bdb76107cc373fd893a89d61d61f668b0222eb440837c2c0e8
SHA512 fe8b9dc3d4cc09282dfc64a284ebab6e10f40c0d5ba7dcb551531b8e1fddb09763f94dc009352480aa64d991a6db1a8766eed16d98867eb01ee940bf983ccfde

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver913.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 00:31

Reported

2024-10-26 00:33

Platform

win7-20241023-en

Max time kernel

110s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxBC6C.tmp C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436064546" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9DEB7871-9331-11EF-9D85-5E63E904F626} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 2988 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 2988 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 2988 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe
PID 848 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 848 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 848 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 848 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2292 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2292 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2076 wrote to memory of 976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2076 wrote to memory of 976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2076 wrote to memory of 976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2076 wrote to memory of 976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe

"C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bN.exe"

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe

C:\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2988-0-0x0000000000400000-0x00000000004CE000-memory.dmp

\Users\Admin\AppData\Local\Temp\1cb3fb7a24363f4dffb9554f42c76a06a7ce4bb2e2c2a45206aacd34f88eae7bNSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2988-4-0x0000000000220000-0x000000000024E000-memory.dmp

memory/848-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/848-9-0x0000000000230000-0x000000000023F000-memory.dmp

memory/848-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2292-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2292-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2292-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2292-20-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2292-23-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2988-24-0x0000000000220000-0x000000000024E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDC9A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDD6A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 994306e5d723462492b904038abcae43
SHA1 da9d587024290e00e4162c4359273c7811789ec4
SHA256 19ed85c4bf1ddfda6aca73ca22169b03bc3f7056158057517eb6e639031fd6e5
SHA512 17b53bff8a28fe414cfddc7454dfeec3610c24a618009e8c5dd31d4b386c0658b14423214c81717f76e42eb3959f5d6c49199095660bb9b5a593c9d85d01d081

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4d00918e1981adeb3385ed20e2d0289
SHA1 c11ca71bdf08eec036ed64a9883e5ee19e18bf3c
SHA256 3bfd4e2f1f2f3bee0eeac7191d21a25270acdc4b6b07d22770c3dd9d671d1017
SHA512 4474fb637ce6596e7fbe7eec028bd8b260a4861e53da599ea683d383df6d8ea115332629d920872563fe454bc9558f5831a8269481112b62a2de384d24da6947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fd912dd5fa69f0bc3997ffa9a1eed32
SHA1 00667cfcaaab65052c90c0ee147a757d4e3dbc95
SHA256 b3f432b502efaa927d20b5bd0494bccaac55b79c999b7d7245a5cbd7122a4708
SHA512 7d029dc723ae4ae52906ca4b54c2676d5d644cafff0db8a6dc265a7c8b30ee6586c54d9a163aa81ea5433c9bc9e2878aed5c0dccc60668b14a3661e71dcc1a33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cdf2feaa9e28731617cb25eb5156ad8
SHA1 2fb9924926b856103825c91bf1924efe666f51b0
SHA256 22036acfa755d929a7fd126c6591ed3e77eb7b017dd8e47de0b348addde2ddb7
SHA512 5b7209607a8ac9221830a981a12c532929cdce228da1a6dbd72da3e04d6dd7190ff5a9e54267c6381c48a7b559ea1fee8e8d7fc56fcf16db52b7d3cc0aa50154

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d3e88ffb4959c403f86e034f0f7711c
SHA1 b5a45e657cb156113d746b72cbc97589c3c45938
SHA256 5ed00d031f9110982b8ca8118ac81fcfd84a480e7c6e1d57c042dd9a2ff49b6f
SHA512 555b2b35d9b1e6e9ffe590dce8aa0902d36bfdc76e60b298d7f36bc28bc9644f66d47494fa9f9425e43f15d76176dbcb64ad30699ae0c1efb61c176b51f99382

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f8b4974ad9a33c2a038aa958e67e27c
SHA1 13970c1f75508a55a2285f5b97cf7a532dd4d0be
SHA256 41ce4f1367ad8980c0750f7c5cee107298e55ff9b27007567cbeb8dba641fe65
SHA512 3921e85f4d3c04d675df64fce35a4f446bceb34758ebd810430dd9efced0678349f107986724083d743df1debd0b97ce30843dd91572526dfdf6f06741be2e26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85ff6929f7e6e54e5323d9875107dd55
SHA1 344a100138f2de8468c8319e3d006f1d30947612
SHA256 79cbeaa16ea76e1fdaaa386d4f282ce9bdcbb226e58a24e97c25937209a3154d
SHA512 43aea6e91922349022f56ee23904e27e2828b427de2a5c68c7bbe633f090bce86dc075308c5897051216dbae674e3bf879fc982376d073bb71c05234879e17a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b2487beaa745edc96e7ca185bf919fa
SHA1 3129871a7b991868de8b645be9a1604e71ff5894
SHA256 39cf6c8be1302e9673a4c0cd3f98fb3c29dde9b4961509b6b82c6cec913f66ca
SHA512 0161a5f453cd465ea0703dece698d8c8c10d71bc76e32f15ab997edf1c774affbc304bccc04dfad903d478d28eab551cb738c8f19a9ad1828ed48843c4e27c79

memory/2988-453-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0099d20b7c07376f4048deb25fed07c7
SHA1 52801f8b9d132c0e67df9867a585edd97c9ee90b
SHA256 615db7d14ff7396395637bf80f54c437a49b8211b691b2c504f3cbed4f7fbadf
SHA512 f2766b00488ffd1a283f1ad5af1d18339d1cec4274f1db06d7d5b74d5b8f19fdd55294d96fd68a6d7a94958e3829d72079dffe2f714438b5dc40a8958a7322e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f021aa8f0defc3eb6bbce6ada9b1905c
SHA1 0f69f36a50a03fc62142f5a568c74a59c693df36
SHA256 669ad18a1fa08bb920de6fdbd99f42e40a8cae1efa52cdf7e521deb9231fdd27
SHA512 cfbd069a71eeb960f9cc212f4141b69cabf13fa60d569471f03b64b153bd017aca901a0baeb2e054fd3250e59e109f305b40727efd9d139b29051d99650af116

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5833fdf7a25b2bcce15dffa0ddcb6380
SHA1 467db5f52dc93802848a5fd9b93ed63b9d2408f7
SHA256 30d93cc08fe5a6ad2d5fb871b65a81c3b3a8173737bf3d1fb3e9eb69a42d946c
SHA512 3a784b7be153ef884fa0a8503edf228a10db3552d55deb38471c4b7060eb92cc2c20af3c108adb1ac5ff544c348e2f2aa7e642b1c081c30f53376e0a16102c4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93ae3d9d7287e3748f5bd6e3540e035c
SHA1 fb51b47f04d3e0c085c09e6ad8cd5344735078a6
SHA256 ea3ee8fcfbc2720ed94fcd32400fbb3c76850a0d24cfb4bb00c00851fc868554
SHA512 3ec49a056108ea41990d5999ac1ab73850005433c31e78313b312c4a65470ae1f3cb8d59eeed4a66b06f09e25998f5125ebe5a26ba11079537d5d0cb2ebf2b57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e2be79974bcafdbcc1cf9a847564a61
SHA1 c0b3741ea7b16a0ef133e32bfedba736967bb445
SHA256 ffb16a488fc2aaaf6ff6de7591450725fc6507a1c1ab74d8aea92bf31015dba4
SHA512 c8447e14b14b1e0bdeeed4a699bf1dbb167c2b2d920da6444851053611fa403a23519bef996c9bbe77c10a8309589b2eb21c6a4df88a037f515b45b3efe46f8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dad5de6fae778386f71268d5c61bffcb
SHA1 0dd47e05975398e934ea734d762737433d931a86
SHA256 d62b5e31fcb149d825ecac6a78d5a909990dacb8a8f8d05ef0def14b2229a83e
SHA512 f924aca3785695ea6c2ee9f657e2d3d51f581ef247e51cb0347e662a035d6af7f2bb40b6b9d58922fd6a52627a25d640ab274c773870a73db26b8da7d85f33f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4a960ea2c98f02040e522a2b174aef7
SHA1 98fd386efd845e73cdfa10acf611969c26498a30
SHA256 d96376b4437ba5a679380a77014a0890d0b3e4af9e7d214f1830fe5451dcad81
SHA512 f70474782cfd5350c5cddcdccc3aedde2a142a20a0f74a0a88fe5bc5f11c6a733a70e81dba6f68f5baca37ebba18ea25f7ecfcc474e9069f37eeb70fdefd2254

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bc1c7548a3766b60c47bf4a1ed3e063
SHA1 62397ff8d1e5555a92564378e31b1502d8f3586b
SHA256 0deda261947bfe565770f1560bbb0dfdae698fadc50732e79c718a0da9d6a477
SHA512 8d7e112055a852686c9dc68ab4216abc431869ef1a3e4b1daf70d37e78bf5237b89de46da9fa6cec50aa1b026c281ae1e591fe83c2edcb856affdecf37c1d7ef