Malware Analysis Report

2024-12-07 02:06

Sample ID 241115-nvw7fatdnh
Target 2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit
SHA256 2accae9c4377f2cc1826425bbd536f7bed5695dff2d11db4aec2b01e7c363dcb
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2accae9c4377f2cc1826425bbd536f7bed5695dff2d11db4aec2b01e7c363dcb

Threat Level: Known bad

The file 2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit family

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 11:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 11:43

Reported

2024-11-15 11:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxBAF6.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC9E6121-A346-11EF-AB7C-F2BBDB1F0DCB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437832889" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 2512 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 2512 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 2512 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 2168 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2168 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2168 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2168 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1944 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1944 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1740 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1740 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1740 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1740 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2512-0-0x0000000000A50000-0x0000000000DC2000-memory.dmp

memory/2512-5-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2168-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2168-9-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2168-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1944-19-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1944-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2512-15-0x0000000000A50000-0x0000000000DC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDBD1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDC41.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48a60d84c6384da47379d01405fc468a
SHA1 0dd79b5b89ac987b895312929c16ea1aca707ecf
SHA256 adc0cfa0f02bfb38bc2c7978cdabcdd4420bc9a9a2a2a954af6c8579f433be70
SHA512 7f4d6caa2eccb63471acc4551840ee7f939e01f085fefa326a1634480c385e1c08800da9bae530e02c1c27df8455735a5a4b7b5f6b0fd5501bdd51c628d36af5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e33f3e68e20466c9de15d84a4f5d52ad
SHA1 454db5a221e997f7d6792d337cff0a7c771373e0
SHA256 9ddbd803e928e5b42fe2c5018083c22a03d66925b029cf402b56da4c18968462
SHA512 acedf3f1ccd13e4e1380bcb7b6b726b5d7a1bffe939a84c94cc6d271bb6007561a87740e3f7137627874533d6230a3bbaa69e024b028d6d7d5bf57b01eaeb290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 453f734123a4c96f67747c7a56985aae
SHA1 7c331a46ec9fb46c156a18257b0d2b47d7fd42fd
SHA256 0a465a86fe04c23421261081bc1f09a982957e1338374cc367cc0355c1a2a74c
SHA512 d1d079c66ba36683261f296ac51745a6739d61ddb8ec92431a4ddcf3247e6618a709993b1fbdd1dd3deaad7aa518dda579a691a42c8d9eee2d3dc4543b68b9dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a6d99e434b2a48769e9ef0a215e9e22
SHA1 36fe144df3aabbba7a9192796ce4331283f3080b
SHA256 5111556989740e44f7309d8d9fc9f9e8f5b64ce68d8a27e814a89865e36457d5
SHA512 6ea1301d127e11adcea7c7b498c44205e5487e71805b691881f5550748d6e13d260f322910553a2a68f8e1d03f199eee1d4e367391a5ee56b632d1cfd8ae32f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37c569054f6af2af64783137f7adffad
SHA1 3c6198d4eb7052a0dee6921667b2bdcca31bfd36
SHA256 3e0364908efcb726188f25a64e25d6db462d4805abd8bfc80e1a1b148e5e71d3
SHA512 641cd9a30c9abe5aab1634295b79064f26753d6774518850b1a7f8b381489fa0623111ed30edcb41d359e3e366e5a4deecf71e8b006f046176e0260dc1bb4f71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 050dde6150d6ca70ef3a5668f614ce6f
SHA1 614456f570e872687b528a3a2f64611097cae3c3
SHA256 aa0442ed81a890f6b86f79d92512787c0f84f19c998ec3dfd9e49c1a49c63e3a
SHA512 ddfc9a9ba009c5abb552a75371454e63560d900483f3405217922bdd9073f12f461d5a9ad38327265bef706d20a57b13c114339fc7455ea8c1ae7d0ed8ea486d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b29c70b7f646aab5c4c383dd666df35b
SHA1 726d0c0c29c22a8ed28cda678aafcff7ad5ed221
SHA256 7f0fbcbebca5c2bd51a18e84677cb1b6b0271b7f0c5202e3733a24244d39edfb
SHA512 b387ba96871bcb4fb44d23029bd2de3ab98d7315ac4cf7b086a71b89e12753fa868765975a185e72e78025cd93554ac2895d48e9f5cca94905924683123dc086

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c7d309c7d621f1e557a7d819a2b3d5f
SHA1 ed190ea04f5337a79a5d87cafd6db4e269124348
SHA256 2c4953f20ad19719c583c8332cd369b578a1cd2422aebb552cb278a1fe1bcb0d
SHA512 0bed2096989f234fd177865c2dceb1e39d84bfc5f9ea4c7b42a76d04389c3f0ffaa8c83350ea65242adf6e3968c7fd069eac0abd4975e83c3d30d477ba9a6b9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a6f3d3b5fb241ff62e147110c6adb8f
SHA1 e8eb1df89979d93de147d3856ba09fb3a7cf1136
SHA256 91b34b9b7650e1e934176580d17ab78f84484a8d4d1b211af231901683b44659
SHA512 d2d9f881e90b8d6f2f716259f1088e1d5507eaca6dd4b7f6d8618ea19fb65b47c07b91e74e8dc3083f1337087ad2c51ac21f580699b0fcb56787e949a1e7b022

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cad2474fb800b4a46934c447b28a876
SHA1 7ef407d39a61076b0a86d728e736d033957f27c6
SHA256 87e67311c6fee73b0753933f762ed12d898a7e834f3121805e49ecaedd30d04a
SHA512 b789d46f5c48bb124c80a296a89b7c475ccdc6285ee854e095b457eb9bdb4b4a14d628c8bf98c2fc6ec9f2c9974c6d76a2b87ab57d8ec88f89ee1b18d601833e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 841268949f74623173e5548743876550
SHA1 1fbf1c85e9548b6e13840130f5ee85325206c21c
SHA256 0bd1e7f08560a06d001e9e6cdbcadf71e6059fb402f8746f059e35126e8422d5
SHA512 da1cf517afeb53a3f7c6d9eefa46114c580b7b3df88fd18c5bd3b5168cc6491f0977f519de75ce4a7ba320c960a0b6b130a3e172db5f541c31879c59281bd2f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0196b376f5d369e961c91024222e245
SHA1 d0007f1016d6a93e47a93118d9125a3190ebb347
SHA256 ba2991ab64845a1d3e8a806b9b17fa04669cb13c68682b865e5cb0f9e245069d
SHA512 a48a9f52f14347d723b904e290a28ad0c680cffc4d8f02a62365466cbbc96594161d93ac025a7eb6693835e77717d7abf2841a7f9a52841d65de87203b77670a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3269484a2ced8d3b0a803f7b0f7ab70
SHA1 cd0c38319812088875bec550bbf7b075b79956a6
SHA256 0676702b586559864280f710eb018ecff284f82ed2b8894d24f8fa2c123221c2
SHA512 79b0ca8dac9f84a3690ff8e611525424795feb91b6a8ea55a4718ed3d8bd74777ee83c64891ea1f940d112f4415c51b47fc648ee86349a56a2a8b8ef1ea4e3fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bce9e0e7e18f66340ce84a3117a7e73a
SHA1 5212565b5ea22441800c1e376e9e1bf89a6c01be
SHA256 a558a1929f055b0356c446829cc2dcc46a9d5eefeee813a583b987159555d2ca
SHA512 2b8033358c97464c08ae802663d07851cd284f4ca4b8b1501a7a52bc7af5dde8c4d8fb09e1c5a4dfd23ba629fab4f0a3d994ab9f60309ed6d9ed019c55fc9dcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f92cc139fb2616fb25d3a31aec907d0
SHA1 916ce587f2085768f763d5d52f0783cfe9782811
SHA256 ca221853633da560d21d39bc5a2dc48e756bef57d6261e15845e0954cb979eee
SHA512 c7573e10a615e79f8116726a883d918307f28605f98632d11808a4612bfb48bd45c2e57682f9dfc65a7b154881a716945a776d895e43b4abbf7caf6a11d4541e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98baa325611d06196e8bd173a5109850
SHA1 53e29b674a3f3bfdcdc1da6aca17aa40a1068e40
SHA256 c363c4351937c5adc3b14e92c87325d7ffdd54ffef8dc318863686b1bbb82cb8
SHA512 3a34869a4b3d383a56706b6050e7a6052627a63e39cbc9d67473075c6a31108699a2e4f133a21691aad42cc55646cd5ef3034cae88da6e6bf1ac1e7ec8e2228f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63b35fb6e72de4374ef798ba382c4089
SHA1 97ea1d21ee8597a8d99291693d7f8f08d4d03cf5
SHA256 e602483d20f2b83cfea54bb413f43d10e2cd2d7c0baf4d811cccbdc2c79c9dad
SHA512 c631674458e051b334347ba2a57053d31962c14242ecb6e1414d8b3f8c6f2572058cb85d29a430604853cdd190f34a1034dcad9a2dc63b1ff68722d4f7c2aba6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8c6978d6c8d4458cc4678accb7ed202
SHA1 ae6756918798a23b919cb85fb31947e1077ca288
SHA256 8f37b17ead9aa7f7aa29a4a202bd3778433c33077873a898664f7e939c9ce627
SHA512 a2b6cc65f745d517687a7200e5e1ca46cfeaad17e521c49a70300b97ed3810412cf753017144b9faa7db3a4cc3eecbf9f15707c4040d4671574b1d91a19b9350

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ac76dc8a9a91b38ca2408b631100e45
SHA1 cc6cdb73a2c58d4fbc21e6ed65d71c4ffaf2d46c
SHA256 c5be94262f7255a40b2fb04e7ec325da6b6e80b06aa9d3a44d98c89ebbbbb7fc
SHA512 eaa2c507220235439610128bee7f178f24ee06e7572f5711a298298a836339b933d40c1381d7311eace5bfe0a41f67d8d49262f4402547047c755d5ae4d3be5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ecb31b2e2c824eb5a5f784b79d5d4fd
SHA1 96680c39809fbc9eab8b70ee64979a6765aea678
SHA256 ce6efced334c7909eefc98b9cc8ea2a03d5df9c636b23c487c0eec004ab81e88
SHA512 20d0c1a2e222034443846e73e4975c8ad50d6adcbc9e58e59e5977781551120cf7b2710715c906383df81b5e45e07b0501f7f43285452a7b5ce30d1968ffb7c3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 11:43

Reported

2024-11-15 11:46

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxA335.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DCBD2DDE-A346-11EF-A7EA-7ECF469E42CC} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2971792380" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143763" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2971792380" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2976948818" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438435996" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 5044 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 5044 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe
PID 4680 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4680 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4680 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4256 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4256 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3488 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3488 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3488 wrote to memory of 872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3488 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5044-0-0x00000000004E0000-0x0000000000852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-15_4659b9cb8fb2d7e7e9154cbd29f008c4_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4680-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4680-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4256-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4256-14-0x0000000000490000-0x0000000000491000-memory.dmp

memory/4256-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4256-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4256-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5044-18-0x00000000004E0000-0x0000000000852000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4716dbab6f2ab2afcbaf76db5f0b38c9
SHA1 9ff921c8611055814c46c2f6040cc4212879907b
SHA256 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573
SHA512 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 1c6bd4a053d5b3bcf36bd7b1f8af2271
SHA1 bc8e1d60cd496ca95e7ef8b3c787d70ff2d4b095
SHA256 45007de550d35fb92f93bebaea3686afde539b045e054e14861cd319fda78fca
SHA512 c387355c3ef4bf9d565ae98daa801adf77f8a63eafa17009e318a68a5b13c16302c7eec659937c641c1eb6730f3c8d601313c368bc8053f540aa54158aef7c6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee