Malware Analysis Report

2024-12-07 02:06

Sample ID 241115-nj119asnfz
Target 2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit
SHA256 868fb51e2ac813658c149757ebc267475ebe3f05e45925600b12b7a28635dfe6
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

868fb51e2ac813658c149757ebc267475ebe3f05e45925600b12b7a28635dfe6

Threat Level: Known bad

The file 2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 11:26

Reported

2024-11-15 11:29

Platform

win7-20241010-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px9A2D.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437831857" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74DBFAE1-A344-11EF-B985-56CF32F83AF3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 1688 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 1688 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 1688 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 1128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1128 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3000 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1688-0-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/1688-3-0x0000000000250000-0x000000000027E000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1128-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1128-8-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1128-15-0x0000000000240000-0x000000000026E000-memory.dmp

memory/3000-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3000-19-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1688-20-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/3000-22-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB290.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1128-37-0x0000000000240000-0x000000000026E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarB39C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 349ae89991a7caac4c13a84beb4aca10
SHA1 d78190e12caddc88e8b07abac43914708dd844c4
SHA256 a3ab7ece1232f61f1ddb86bd072e99b40eb18c6923609a354c97b401c3efadfa
SHA512 47a7abae3cfb60963fbe528d01d5ab8f6c8e39aef5ce52d30879597e1cb4ff1b13c2f57d92f6fc270d840a7026a6e3f27eee9272d30fe38e88459aab3539f64d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8777b57d5cfed84c7d8f1928f49a02c3
SHA1 ed7537b526380a63b05eee85ab3af3cffd8a3711
SHA256 2840e4c6d20c59d9911109510655e7857849d6631bcba81b47a333de72d43569
SHA512 b250f570e449d25185a77dd129a4c068044700e6a49ad2f604fe587ef11284c81bc5a8e0fad12ff0e953277df56e58c446704102ddcc5d9946fb7e97256509b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57ff0b4f37a616fc70ac02f14f89d4d7
SHA1 adf70bb7026d80785e3d5ab7dbc422f46a787d9b
SHA256 389b6da089db961ac6d9cbc7dd7a9491a2606cf9370515de41de9a42e249b0ac
SHA512 7541fbe0b575e8bc777ea7b984598b9647a06bbb54586d52f46ebaf19baa7cd52c622ab39b789a5842628dd1f13ff9cac3db65e47106656f2388ff6445a332ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 216e46b545e0170f9412e72fd08fe1ab
SHA1 5bd72ace7c3508998cf381f82f9b92100ce961ee
SHA256 0bbf6f5f47913849604b51fb8c54f388afadcac2ea78c531ecf3f8125bffd61e
SHA512 5f8f9582c0878d4d429ffac546744454d0f30a80047bad6963a07c11d0887dd805401d90e1f71b187f265c95482ed7dc49ffbaa1d950d987b97c95d0ae2bebc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81fa75707d863c47b0cde3f4e22d9e2f
SHA1 1819d51959d959c3fb4cc71dacbe9e96f60ac18f
SHA256 57e52a1c45b406fe5bb0e06f5686fb42802894b293059f2554acb10e302d66dc
SHA512 f35ff98fb7d515d9f9cf85407b6df00d59ca1db3ca7b8481127391821b51e9cc844782af2095caf28548cbe2140ef79eaf2949418059e3ca49b4f53ca4efab4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 988ae9827dd19bc574d39f0753326255
SHA1 adaddff3ba02408745b3bc5c7df079bdaad4da7b
SHA256 e245359297c6e40a45e24fbec3b8e6de9098015a95ad3338014f30f85e4c6402
SHA512 89d3f43b2caf994c413fa942d3d241a3a9bba73cc38a7137ef62277e529c4dda7e0352a219caafcca6d3de1489a6f32ce99602dfabc6bedbf544e552d4066271

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62cf0771ad1f334c94a68b6e5537d7c9
SHA1 7211b50de57846b0fda967597017f00ee6d82f6e
SHA256 f32d8498979ca511b45c5ece3bb42c5e521aee60b91c566cc0c782d51a84171a
SHA512 a8fb16ee6533750b3f4f621e110e1cde90cc3bc765c4ac02a46089042b1ac2a4519dd00c5b4fa3da44d7a34e108afb7f8602782bf2fbd5389e07d2d981771246

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 416dd6600375377e5e08d1bebc6b2dc9
SHA1 9651dea084e2415ef01681c9d0d657c49efbc95b
SHA256 db3a87f21cab3339b20fd6210b4338de6e1ac7d81ec693bc18b08f193711e54f
SHA512 dacfc0ddf897e8dfac6dd82906c3d87b7f539b1fd54a386d3cfa40951ff68eda5be9f3547d02b40ea59ea3e49d2e351b8e98c7f22913dfce4142139e0e4d219f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 717dc83c6435ed810eaed108284a56a1
SHA1 903cafb69e0b9d083476f22bb522e833364e8b53
SHA256 977ae08451bc6f42eb873741b301aa479f4dd4f18590fe2eea12f4e09f178cf0
SHA512 e3e93556ed16cdb1a7b4f36d39c483d42dc0ac6c7e77f00941babadce6f9c51d63e7d389dd8aef1848f8c92f932d0963523e46dca706b36d349f9a6141f0495c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efaf1bb2fdddf534023258231e82e1a4
SHA1 f4d1ded1b32c0d76b230289c0e6ff249f435623c
SHA256 358f3f407a860377f6d7e9d721c46f40b9e4edd2d8dfedc704d7933358c13bf6
SHA512 46225a156d8de86e8048c8a16ac45ed07597f3bdcf5a7b6ff945276771a939b8513f3dca12aca2dcab0817630e24449100083aadc19069ba8d4ddd37832a1430

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffaccdc3fd3bf45c13929a2f92ad8bb8
SHA1 d82962d3fa579f743d7442c68b480ada79dbefca
SHA256 a08c1f0dfc579f7c41cfc723ab576e710ca1ce786ab718b1c4d9ef5ed3ff64b2
SHA512 56f0a17b6a159e7495b759a63d627503e36316a7f788571759827eccd23040f16b07e45d08236d499e6cd4e7c61e2069308691c31d4a4bd63087ae8571a4928c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 361aee717ec4ea028b24f98fa1844fc0
SHA1 a401eb15d579c0280314f19ed3ea92ec742dcfbb
SHA256 c73ee44a799a5f3668eba219445949ea9f8a1174bda6ff2b8972b802cc2b5025
SHA512 015de14fc48157e885c4caa310f3722ebc4e0cdbfc576c50a8bc57e7dacc5dd5fa4b53ff2adfcb6cddb5599210561b06e08505e3a636bcead8e1385ccb6b45b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1e3bf78427496510c69f8830cdcb43a
SHA1 85d6483c5b642e3261e7d2174825a3ef143953e7
SHA256 e9ee870d32efa76c625ce3eba3b7998245c7bf959b1b8de74fd9d4f8ca7f3fd9
SHA512 c27b7c752c62fc482927e934f8772ac2413f79d507553539725986c6c13fa5243c0e97e6396e67ff728b01f7d0b9568c4d6afcf1c26be5dcf370de4da45cc061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b3b68585c7607a959c014a983d4d708
SHA1 07de6521c6d08177101a6d82496cf9b277c9e0a5
SHA256 d7c0ba55d3887a7fbc41076e3602a3c945757195628443f562af983d2455fd04
SHA512 aa816de9b5a2ce2f7bbc7b467465c4c2ef4a42b02923192f98009fbc76d4bfcfd364fd003288c5bfa13f25cfb318d1d22b6993c99350a89e40f3d30dd52b69d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 844e18e268372f989a52ec718620d1ab
SHA1 415f398421a730fe07563fdfc32df136cc567e51
SHA256 848bd4921b53ede1559ab7fecfb966ae79153b227aa591cc8a0483f6b211f9bd
SHA512 d27f2ab650793ec800272e02b5217141e802ff3a5163857fb4bdc1ca6f1ae85499f9b55bac7f3b64948005d773f01191b2af914a2ad3fa51fdfe4f108c612acf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63feefa57831c7c426bc58119e09c18e
SHA1 1b8c62c5760984acdb0a1ca5554efd4ce98bc5eb
SHA256 f931d875076d3b968eae12a94d545f47487e74e29be0cfed47c07c3a457159e0
SHA512 40f4d2308c8d99b33b20a0ef3736670cb4bb6134a51d8e8564c2690dc374b513d17d5cc4d3bcfea0c8012ea926a437fd44de8f6e37f2dc1d927c1a8f5bd209aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78670e7384123d4179e9268c1061472c
SHA1 7f6d4bea4f67ac4e77f76e2c141c0ea1e2b61c72
SHA256 adb79b176a698dedf1301b87539e3bdc1c23e6e9bcea5d3a90bb81107b3ee831
SHA512 1f0c7effa64c7ca2c11a06b65d3018c3396f3b51adbee9daf5ffbaefe6106a51056998ee5c339d29aefd060fccc242d101441c21690f6bbdb1481f8ab862754a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c288896502833d7af07ac85189d812e
SHA1 c49d8cd21a535595154ac758f1ce9639d1c98be6
SHA256 cb2583da2fdd098fdf8c3105ccc25c236005961a042c143e49c793436a079ae9
SHA512 9e931545110e356df30e2c8f6af76ac8d3ac49fb2b44046445adbb6b66a8f828f3909d9047e2ca84d655d8db4b3f46a49da29fd37d0b5f3d15abaa37e4c07917

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a9266d1e892309e80abd979cb595915
SHA1 dd0cfdafa1da55d43f817e351725ee3778948a1e
SHA256 e95ea9dce49496bd640a30f412d6570d9e84b7285a8958582155834bc7ac1197
SHA512 431a531a87b99c1042ac204889a46a7007a57c7d3f9ccabfba15449e4e4907e476c7bf5b7d6f64ee8eff70369c64e49b211a11cbb5e1ce2f3264c0174fdc9c0d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 11:26

Reported

2024-11-15 11:28

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px8750.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1218289201" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1212351417" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{73C6665D-A344-11EF-BDBF-E6FB6C85BB83} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1212351417" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438434961" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143761" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 572 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 572 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 572 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe
PID 2924 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2924 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2924 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3468 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3468 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3944 wrote to memory of 4180 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3944 wrote to memory of 4180 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3944 wrote to memory of 4180 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/572-0-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2924-4-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-15_2e070de6ad8c824d7708a0f075a058fb_icedid_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2924-6-0x00000000004D0000-0x00000000004DF000-memory.dmp

memory/2924-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3468-13-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/3468-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3468-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/572-17-0x0000000000400000-0x00000000004EA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4716dbab6f2ab2afcbaf76db5f0b38c9
SHA1 9ff921c8611055814c46c2f6040cc4212879907b
SHA256 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573
SHA512 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 f7456e426cc56c9b2348550b86d03ecd
SHA1 4fb9662399b26660d3872ef20f116639d8f65ebf
SHA256 3c5955c3f72cdc54e6f2e43e753f7f1cf4643912cdadc84d3883d7b486943b4e
SHA512 0fc8e081d60b12c59117a5c7557a4205d896b9742f5f721399fac6f6d4ea37c5a9655369f201a0c69b2c5c1fc280217a5e0f547d15eb1e117959f6d1dc63b9c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee