Malware Analysis Report

2024-12-07 02:46

Sample ID 241115-nwezjssphz
Target 2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit
SHA256 1577d51aa666e9283eb6eacee5950b586c04abc57072863b9e3f59507569643c
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1577d51aa666e9283eb6eacee5950b586c04abc57072863b9e3f59507569643c

Threat Level: Known bad

The file 2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 11:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 11:44

Reported

2024-11-15 11:47

Platform

win7-20240708-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxEB1A.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD5BA2B1-A346-11EF-80FE-5E235017FF15} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437832944" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 1904 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 1904 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 1904 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 2504 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2504 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2504 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2504 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2812 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2772 wrote to memory of 2872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2872 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1904-1-0x0000000000E60000-0x000000000105C000-memory.dmp

\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1904-4-0x0000000000170000-0x000000000019E000-memory.dmp

memory/2812-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2812-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2504-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2504-7-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab12B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1CB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90fac036bf8bb37b2b9241ea26149ba1
SHA1 a480dad89a21ebd695a3fd9223c25189c13c01e5
SHA256 e2b1dbc27595cb4f51bce1e1ec6f49e4a87d5545303b4cf596947003a9b04a00
SHA512 f299b407433f08d34467938affde3d97fd3a249641e678b303e14e86e9d75a571b33c4dfa0f25bcd7524aa7f99b3ba616262383adaa4d4267934a9f9ff5825f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 349bfaff41968cc3f0f543f78476764f
SHA1 95e7ed0350e8df23c95475db4d54e5bc95203d95
SHA256 d4741ae105a11055c93a8050064818ca4d786631d6e0a9aa50b431b432763d9c
SHA512 29f680b1bf08a69e10dadfcc0d93c84075b65a038b385bda4b0d4d1f2cb25a993a8038ecba5853c02a763618b3c60304acd6a414186264a8e5de00a1fa8346c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5eaf6756ca58779c2e839494ec2bdbff
SHA1 6662036d9a472227b3f140182efb164d952dd46c
SHA256 dfd780a171896df6195354602053e20aaafb2bf4afe82995eddef4b40cbe239c
SHA512 b6c3dfc5b327f6f429b30286784206cc79faaeb0e6bd03cdf7b021a3521ff7cc0d6aed6836de335b16730e4945e62878f9e78e26fb67374e1f5096df8879246a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93e2e76b5c392356c75115d0f7c222d3
SHA1 a78fecb3e951b1f96322a41e833cfae8476df016
SHA256 d4fe1dcc77547996dfd7ef0f269e179df5519f1c2226f2b068bde316153621a6
SHA512 0cd52e9d7ec27cf203992abf9f68df72bcafdc62ba6f948fc51f7440612640f13fc1af439a77d5e130dfa72877e8b49fee5172121e6c1757bfc7e50c44bb47e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17cf95c1d024bae2b8e08b1bcb3a325d
SHA1 064b467b5eaa861146fc11e7ab1425e621644fb0
SHA256 7c2767b2622bbb39462714de4354ec7c8bcfd842dd6a57975c5f9dc8f04425e3
SHA512 a0dd5ebcf7f3aaeca6ea8a73b8478cf7931c77bc36bc943ec99cdb995bfb55009ee665c41ebbd59de7de5d35eacf5f0a36c1f1a566499be14c7cbf8fc0283316

memory/1904-188-0x0000000000E60000-0x000000000105C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4672e8f0cac1233e853170797639cfc
SHA1 a377a3c917b23e6ef3a39e3731b9df54325e7af8
SHA256 0442dc992f427bf36b8370a4788cbceca883bb4ef888b76c8e76b900756815a1
SHA512 fbf8774adf90375703b6a55ff6979ad946de5c875de46ce480a60eff0683ed6c2a6171990f8dd6aaa891a6a29c9fb8775bc99663611ee967fd651e87b947e7d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a885ca12cefd591cf3277e199fb4a32a
SHA1 5070bf2969de28e66ae9f869fbd369abcf5e1085
SHA256 88035966351d76cf25b4b264e1e41b27b4cb580d32b8edb75b3d9bf25891f25b
SHA512 c475459997ad2d6e1b6313a7001fa70fd0e5fcfe8ceec63834aa6254a175d0e737bcb116086bcdb459ebb0740b51557836ea972f5ce714e72591dc81bba04065

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3cde2f28b2859e1a45719f77d554877
SHA1 7ac6f35b83dbd69c90ec5c04be857126adbf6476
SHA256 5aa41cf20f284b9bec56dc452dbfb4c0685bf8f64629bd4cbaefa9ba2014751f
SHA512 ec8cadc3bdde145e9875d79b5fe5936f4a19537d97f752fa9a1cb3171d20abce2621a74e48a7624600efde6edb285be710c3476ab14741ed12d0eff1a5fb4f3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4a703b9a09c0b400be5982833a82ae1
SHA1 ec0c8c20c9a579678f3a84773f4d594cc2164b90
SHA256 4494854799107bf038f52b239454f77adabb53ddda4a1a8cdc6e05115eac5623
SHA512 56e4906f54c76af9901fa32302476d4fea76d27d25a45196b1ebd854021519bf973b5578100098b66ec9bf11d7977ad0230adfbd038d89afa7b0e76e876e14ef

memory/1904-422-0x0000000000170000-0x000000000019E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef3d0f70908b023e78f5677f202d7560
SHA1 6c3c60017b031a81a22fb8b069b90ae3e1fa2f30
SHA256 15b83f04139e7f7fd6911249ae75f64880c15a2d0f46074ca7eea5515a78f57f
SHA512 4934e5ceca2bf5289900733fc99b4e9ec55f61d4b3da1587c4f880f5faa858fd8a6cecab2b3e8b653ab9fd2277cb07a2712dd8d2b415c7c6c1b75c08df2caf35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 beff4e35333cc4cccb2e3a024871de13
SHA1 dcd895a9d0b196c7d1f36a602b5c69cf161db442
SHA256 67f6f0b53253f275abd0aeb6b28fa0ceca7d6e8ea28ed9aba2750f23dc1fba09
SHA512 9e956429750ac6b087f966232f5e868cd6a43127eab1db94e92a8bc8de2488f1ab1b6dd94a211299efd6fc1e36c3e22c69572e13a1d7ff8b49b4a4811724a618

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 283aca828bce5cbfc00223d8a5ea45f4
SHA1 5cdb55497761f55760629172603b46908b19bfb2
SHA256 607f14f7ffc5c1b69ec0e22403f8f1c2211adf10b05b03fe486b91342f591e2b
SHA512 df6b63826cd9959e88bdd11bc1ec8a3140f67c7c77050cff4fb138b92d2da9f25dbe53dd1bf9f6d953c8d4f60f1f2fb67f0fab7c79deaee0ad24b97926d73d09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09ff8e1a8cd9c712ffbc8e9f638e59a2
SHA1 7d047e29f8732d198aff69fd216a64ad8d64e655
SHA256 91396a6b7daa69beb444a72936b562a32ddbe22e2e6be21c85da0b0a5a68f76b
SHA512 faed5dc223372ce99bb80215808f3d908777b9b9002e916bd1deb7e8e5a59d9dcbf6722acd2a38e950d9ab0a96d0d3b072554e9e9eacd90f5ba29e702b245c69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1ca54676b89be27c75d0216ccf4eccc
SHA1 a2faf33225c6ada271c87b46dfeb8db71d03e086
SHA256 c63ccd0004ade94de2bf474bb35cb9853d22101ac15cce1d8198b99e77874b5c
SHA512 46432a0c5f10cf36cb9aac3ee186809eccb93f848797ab36d87832b5fee03656f58ecd1d3f7dfaf31f7dfdf5e61ca1ffa8c16de92458c94620ac37c3a304ff02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 440e9c58ca9ed374bd5d6bfbfaadbff6
SHA1 37ee1fdd726f7ae6e000b16737183681676cb458
SHA256 16110db22c8a0c6d652d614962ca7ef4971e795778d2ef92032ec35be4595195
SHA512 a486c6038f35d6608fc3bf33f04b327a87adad533322d80222434000f400d71525100202b6b72b677bb937c07042148d68140c218066bafeeaac5399f7c5a84b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 688949ddaebf4ab82fffdb1b1f1d8fda
SHA1 a6cb08a774e8295537c836aa6c62ccea4e47c063
SHA256 24c6041f88ab4b2db8c9abe8a4232a45a25f174142dcef14616232b2077a7d83
SHA512 15e33859e22bd416b38573ffc3e876c4458be4b66dbb6ab1d51dce5507a53e238b9923cc93380948b41d061365e7b64be4ffcef2aedf320e577224022ea41ddb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 400c53d55a178ad1a782133ab19d8915
SHA1 c9e402d80791fbe917ab7a8c05809f747ee00f74
SHA256 e43bc96228722cef1515a813bb079c6cafa3a7265a498dcc1828385f06b89a47
SHA512 c8a0e975ad689158191e7231a374a5611eb3e168402f66c99eae7bbba96f590c229959a2546a1767512de89fbf060ac6af3b4c1e7117f008b657358115024960

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4816e9555fee687c8bbf0a52ee8846d7
SHA1 26e99a41aed591ac3baa1532e391c92d66fdedb9
SHA256 c8f5a2341e6bf899cd78c582567ff7be116f80c0d18a2f35e051fa835916121c
SHA512 1097dba94f92f208fcc7d1170222ba5f6cf1f76402b8ec17d0ada31d653bab4e40383bd32bfd83aa3e4b3d195ded69ecf1173cf14388daa85409ec87afce3bcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b051276d9067fc67eed9078650e406c0
SHA1 acb9f6813ba1cf2002e972d465eb127d5f4988a2
SHA256 c3dae326f571c7656aa6f75b3bbeb113c491fd3cb97faca53217ae18306e7c23
SHA512 63363f7bbd4851a710fc70e86642ae96255c5a8bc5bfc20268eb537afc35979d2f5d66dcfa43294226466c3cf48627a10604aa5e4d9b4a52e1025fbb8d865ca7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd418e857e5744abe852c11e4641a897
SHA1 c956f782d120c5509fc70ec07e80c66cf5e6cae0
SHA256 23492beb040502d4ba9d27ecd4cfbb673b51fde1e47eb4b197e32074a2795b04
SHA512 831feff1995f0b08cf9ea40e195cca2bc52a42e70a5e9f9a36875d84e2d95e806f502d02d02b94a7c63309bb085c2618fd13560d715ed5bdf9f4d90eff8c28d4

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 11:44

Reported

2024-11-15 11:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxC2B4.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{01A4041A-A347-11EF-A7EA-DA67B56E6C1B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3591056052" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3595743494" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3591056052" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143763" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438436058" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 3828 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 3828 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe
PID 1416 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1416 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1416 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1356 wrote to memory of 924 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1356 wrote to memory of 924 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 924 wrote to memory of 4980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 924 wrote to memory of 4980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 924 wrote to memory of 4980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/3828-0-0x00000000000B0000-0x00000000002AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-15_8dee32eb82cace9af4e7a0b39633686f_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1416-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1416-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1416-6-0x0000000000480000-0x000000000048F000-memory.dmp

memory/1356-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1356-13-0x0000000000590000-0x0000000000591000-memory.dmp

memory/1356-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3828-18-0x00000000000B0000-0x00000000002AC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4716dbab6f2ab2afcbaf76db5f0b38c9
SHA1 9ff921c8611055814c46c2f6040cc4212879907b
SHA256 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573
SHA512 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 f59ce7b2253a7db1f34ef62f1ead5775
SHA1 465870430edd371a2b7fd7d5d6302790328b6709
SHA256 c3361d7ea1f684c1f5578c6e1789908a8852c0ef3e8f958b5b570cb2cdbfc959
SHA512 e1ad8877323937af2e8c17057d5d097ccf1390ad4310ed8e45d503bdb9bd4a6550fab9aeed4c78a56697b59cc8483790b6443aa44ba07bfa0cb45484cf82198b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee