Malware Analysis Report

2024-12-07 02:06

Sample ID 241115-nlek2atcpa
Target 2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence
SHA256 0ef82d9f481f03f6695aeb60442b1793a30db4d7bc03110cd674d24246464f50
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ef82d9f481f03f6695aeb60442b1793a30db4d7bc03110cd674d24246464f50

Threat Level: Known bad

The file 2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit family

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 11:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 11:28

Reported

2024-11-15 11:31

Platform

win7-20240903-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxDD93.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA138051-A344-11EF-9B14-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437831999" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 276 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 276 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 276 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 276 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 1416 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1416 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1416 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1416 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 352 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 352 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 352 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 352 wrote to memory of 2252 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/276-0-0x0000000000400000-0x0000000000631000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/276-5-0x0000000000640000-0x000000000066E000-memory.dmp

memory/1416-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1416-9-0x0000000000240000-0x000000000024F000-memory.dmp

memory/352-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/352-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/352-22-0x0000000000400000-0x000000000042E000-memory.dmp

memory/352-19-0x0000000000240000-0x0000000000241000-memory.dmp

memory/352-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/276-23-0x0000000000400000-0x0000000000631000-memory.dmp

memory/276-24-0x0000000000640000-0x000000000066E000-memory.dmp

memory/276-25-0x0000000000400000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFD64.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFE24.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e0fd7db662eed8814a1448b92e73f21
SHA1 149a8cd0d3c9a1155219886c30489bce7bfcd51a
SHA256 6b352c5f65469f3d9c03374ffc73a578424991749c1a2bd697b21a1fe38bce31
SHA512 96a3fb5ca8409b41fd4c98b7a77b43750d296591f910649555f286c82bfadcad79412b1e6a54ac75ea2158a6356b1a06eafcb13b25bac3d474aa5629ea1f76c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6254078ca79670613a9b3c5901616d26
SHA1 21da0b2cf3485bcc54e2bce5d61d12fbfd6a07d2
SHA256 92c7dfdd659daae90f2c76400fb420a20eec171b1853c1ca9807276a691616a3
SHA512 0fde4c1de4c74ee97e4d02aa4c1ebe45c485a4e318a287bf3bd7edbb3e535ee75c94f07db4c26d1bab87293313000f9848db88fd2535295f6adf76c6d3880361

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 455b1ee6e2f72e44e9faf351d44ebdfd
SHA1 7939213e4ea27fda718f9f6470c787c3a7e3d194
SHA256 8f1f2be9cb7a9c42b088b1b00ea71cbcc2dfb9e8b17a1be7a62954b8e455f6dd
SHA512 25e606090788f6404e1e28352a98e99f7ff57cb45e47fd87240fd95d72a1abdac0a700e83b89f6f36d9bb5726c1df6fb2fbd3bb8a54825f713e7d1f77ef17722

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 248c6fd192135a441f855a970fe512d4
SHA1 da8bd876e4ad513b54e5f09517974f97692557b5
SHA256 58bce71599c80d6e1551160e4fbd6827d48141949b0ae0a444a04c1923c85c8e
SHA512 3234766cf025544353e4c0753a5013ec378f666fdddbc66d59a05e504051487e4be74ef11e6fa58a1af6a329b1856b4c42a3760fc9eeeead77cf3546291d4686

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 deae036268b99678026cc882121e6825
SHA1 cf4c16b0ccaa9d30e4d25ce7396bc532e0b33be3
SHA256 6c2dac67518443d1193809f2859c5e18fe3e9241811ec82cd81105a313243a39
SHA512 d433e8b71bf3938075a77a24facbf3951632968d3069763dfdb0e9174ab98504654beeab91a24095c1b7dd66930efb9a1c58516be6e85e0d18988556b71ad994

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f64637595b9d25f0a1714399a6ae21d7
SHA1 ccbb2495f82e0b3b2b950745a58eee63e79a25dc
SHA256 f6c2ae8f8b38b4da75276dcf4e68c8a4ca5a0fcf6d1744ce98c727dd0e7af208
SHA512 8e17ac4616abc3c42fa285fe28118246b15d7d783a9535cd211b7c37fa800ec324d7fc227bbe5b13fd620c45b703b1fbb5db5d429e80c0c0b381853ad9c55710

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c599fef49240d8d2870caa28b7e20afd
SHA1 a536962192f2328c7de5effa6025f76d2f29fe49
SHA256 e241cbecf910ad5eda9261115d9571c49c59ed7f4fbea3d6cb797e6ad37e195d
SHA512 ef23688d81b106e67068caea7a6bf80276d4770f889738864b5d5188ed0c4c97a0450b4874fcc0f624b07435aa2c046bcc00d77d3f15e441bb83ad6721265aa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4373e761f0799ec1b25992975395eae5
SHA1 52873c05c03d48ab558965866df20e57c1b17cbe
SHA256 943378f915ecd9fee474e7181255be3228f80719dea400a3749fe22f3e3a8149
SHA512 5743e42c6c673c3a9fd4b177ca37d075395025b2697f4e581c96b7a5a364bba10bfa745dfc8068c7eee2d07b1758b85b26e4e6bf44c51642729607640601c648

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8ce86013be552f550d3821a19205f66
SHA1 d131cb5f4d15241fb8e883e377c560bbaf78c7e8
SHA256 08e9b30ba11281134e8211d497dc41fdc003bb582310fc44b5934d4b52abd2ff
SHA512 0db2c76b527bfcf8256836db35e592c2c3235c28434c9f7e26704786f8ce8c408d43d9ad01c667b43ba7ec0295306eff9d9c20eb8031f646bb68a44fb35c3750

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36903a345e727d30355953d7718e0e55
SHA1 ba7cbb4892b1128f1569f9800e1fd25ad533d6a8
SHA256 cbb6ab78396ea685d8e7c9385891a89be52091a167459c836962be83e4ff1256
SHA512 be174169f29dd2c10e9a5b98791537269f7441b1cee22e3a2eb76ba8168256dbca5004833ea566c2aceb35bb1d2113d4dd88a7ef74fd9490b7c80e50384b39da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d293d378a06b3b955a03be5eddb75f19
SHA1 d47f6bb6cf2b93a3ee2937b4c16f4f51a7d34c37
SHA256 2578ccd3a03e56032f585309cb9b28abf3ece7d8d1e77936c2414ceaa499b048
SHA512 f22f746cc3f96a419c6b314f471e79e1212003ddfa838b7f9329c04f329fb8d87018f42c471eb36af516c672dbeea74ef370d30fca0b322d87930900fb8eb375

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8facbb91a63cd00341f19a9a51b9c603
SHA1 b86109c691739be2cbf96c5d3a4fab33fa1b4fb6
SHA256 eed7c9f15f9fd5727e56883f854e2e1c7dc04f0a81b7bf2b041ce9cdb36d9ddb
SHA512 c838419e68f25356e76dffcf3d94097511591b19c37d435ad215347f96ad8d1707ce952a551b0923b6afe9071ce95ae8a4628e5146b24e73ce6ee074a7429fd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1de9238eed0857737883bebde58b714
SHA1 53edf55af89b132ef742309c5018a35a4001518a
SHA256 32fc72a26ffc0e4ec547b907f9a727bd5d8a32f19ab833f3bf4a41395a3fddc0
SHA512 6e1ca4fcf3719b724ca71f14244c5368ca5fffd92b5249ae65a1f21082e9471987dbe51a7b387e22c9250be507cf9e81dc3c613acf696dfd2732b2d16a9333f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 511390904c79d26bf0acce135ea946ed
SHA1 01d980512548fc5eeba268251930bec0e2f473af
SHA256 e1f6b033914fac499de171fdbf6cdc3c8fba19eb755cefc45b02773c65b67d68
SHA512 ae0b0c5a64904026156b0a82004c0927db02f5ac31655b09d4143f123b12a31d0de1ef8485c1e4b7562a36f3242a8a13e428493b08eb6f4f35c4bba6a2a81552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f20c2452eaade14505331e68ee023e7
SHA1 9f9ae4c3bb5752e49dd3ebaaf3f6fe50fa0385a1
SHA256 10612eec74ca0ee50a7a1d004e8eb48fa864f71f4f3ce92b1393682fb4951fd5
SHA512 10054aa6c9c8b5fef1afeff121fec56196ba625167ae2e4c1555b70dc96198432768f2b2e765259f027f746c5605fd0a5591b2fc7a653f93a6811352d4f9c93e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaf9fb1f9500bd1821c818ce7c3864a3
SHA1 65f1cf1a6928c18a8331c9747b9734559b54b47d
SHA256 ad81c9d587d6da156026166cc0f07d743289251ef038e5ef760e9f1f1f9ab397
SHA512 1eb8992e2ae9f47d0f065e3904b9c23715ed5167887cb9b35fe693a1a83e043c3d53952b5d811b267f154422f94800f17da135cd5e39de453fe48d4cef3d788d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f2f14687b4ef6e85ae21a04941fa2c4
SHA1 4f474aa2f208c87f60e2f78650ea2869023898ff
SHA256 81ae6c137993e99203cdb9b891ca65696fb55c1833149e26a3a523c6116f0353
SHA512 bbcbf05ceedf5105276323e2f525482bd99e1ccfd5c9f5b8e55b200cb8cdc3a03425f9a008a6048bb6c410de7208d16f483f9c7235d681a03de488d73d36cbf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44df94ccd50d792db2970be3472b051a
SHA1 df2374546665da3fbb546fc5f039419266fb85c8
SHA256 d6bebd542b765aace257246938dc8a3f6471ccf498fc704f5f568c84a71e3976
SHA512 2e5b74602aa35d0d92951eb6aa990a793839f112b4d6c780a66625034d046b2171d2986e86f1484369bb7bdf0681dbd531794fd28cbc554f8e69be86c8905461

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 11:28

Reported

2024-11-15 11:31

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px5A55.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2681643065" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438435107" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2678049281" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143761" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143761" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2678049281" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2681643065" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143761" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CAD47D8A-A344-11EF-AF2A-DA61A5E71E4E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 692 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 692 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 692 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe
PID 4268 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4268 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4268 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3528 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3528 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3236 wrote to memory of 3376 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3236 wrote to memory of 3376 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3236 wrote to memory of 3376 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silence.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/692-0-0x0000000000400000-0x0000000000631000-memory.dmp

memory/4268-4-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-15_5865f46ebcb92267aea0c40edd13c402_icedid_ramnit_silenceSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4268-6-0x00000000005C0000-0x00000000005CF000-memory.dmp

memory/4268-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3528-12-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3528-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3528-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/692-17-0x0000000000400000-0x0000000000631000-memory.dmp

memory/692-18-0x0000000000400000-0x0000000000631000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 29c75d1de34fd1baafd62109f453ccf8
SHA1 b310b7f4557cb08bb33e38305894831ab8864f86
SHA256 dc40e2dc6ae6c9909a9d70b18fe8c7673afdec21f62d659459cf2f3a83d692e3
SHA512 5e9ccf88c14cbec931081d98ae1f302da82be44511da89488c95ec4803546c407330aac5a5b0f2f62d0e45b94f6cea1d47bba264e4307d52a4652a40a500d6b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4716dbab6f2ab2afcbaf76db5f0b38c9
SHA1 9ff921c8611055814c46c2f6040cc4212879907b
SHA256 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573
SHA512 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD513.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee