Malware Analysis Report

2024-12-07 02:47

Sample ID 241115-nwl3vstdph
Target 2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit
SHA256 7bd1e0c55451a630d5c43486e99de0b610d878dc13e7212dd4b827d0dbd35c36
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bd1e0c55451a630d5c43486e99de0b610d878dc13e7212dd4b827d0dbd35c36

Threat Level: Known bad

The file 2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit family

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 11:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 11:44

Reported

2024-11-15 11:47

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px77FF.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438436070" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3710137936" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3712794540" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{08AC5CF8-A347-11EF-B9B6-E6FB6C85BB83} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3710137936" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31143763" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31143763" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 3916 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 3916 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 2392 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2392 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2392 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4968 wrote to memory of 2248 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4968 wrote to memory of 2248 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2248 wrote to memory of 2560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2248 wrote to memory of 2560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2248 wrote to memory of 2560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3916-0-0x0000000000630000-0x000000000082C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2392-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4968-14-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2392-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2392-6-0x0000000002040000-0x000000000204F000-memory.dmp

memory/4968-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4968-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3916-18-0x0000000000630000-0x000000000082C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4716dbab6f2ab2afcbaf76db5f0b38c9
SHA1 9ff921c8611055814c46c2f6040cc4212879907b
SHA256 14e6269329dc675b9c53db477169c352464cdcbf50d9653a22620720fcfd6573
SHA512 3ceb67375c9023369d37b78cc52157c6c3c540b3aef9dc470ccd562b9046a3883fc27a7f193550230987927db461d7e7b0a8cddfec12f45817268499bb78d02d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 afee958f588f3f1c974325129c433ba9
SHA1 7bc816780b62ddd5d2f6a79e950442cb7196b0ff
SHA256 d381672f632407b5f7d59380d17b802223aaf2d6416e197ccbbba74f79e688fd
SHA512 68963505490fe677499a2f5f62f11be6629c97fddc7ad6b29e19d6af8dd67db67a5db4aa098c1d480b8600dcc2580746f9fca2ff00b0e550915e726e2f6df8b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 11:44

Reported

2024-11-15 11:47

Platform

win7-20240903-en

Max time kernel

135s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxEA6E.tmp C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437832963" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{080CD171-A347-11EF-A96C-C6DA928D33CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 2648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 2648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 2648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe
PID 2764 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2764 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2764 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2764 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3028 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 1740 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1740 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1740 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1740 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1740 wrote to memory of 2592 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnit.exe"

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\2024-11-15_ce145605aee5b2c2277647a3cc1b20f4_bkransomware_ramnitSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2648-5-0x00000000001A0000-0x00000000001CE000-memory.dmp

memory/2764-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2648-4-0x0000000000BE0000-0x0000000000DDC000-memory.dmp

memory/3028-19-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3028-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3028-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2764-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2648-22-0x0000000000BE0000-0x0000000000DDC000-memory.dmp

memory/2648-23-0x00000000001A0000-0x00000000001CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1C8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1DB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 361452ddb8bb0551e17d591c1403d0c7
SHA1 435e93b147d07f8e4d5b09426b330c484ddaade8
SHA256 a02ed581c436aa2ddab6c0518e4fda6ae28f7abce8f967b5854da3e900161461
SHA512 93db364b5bcf213dd21f7587617d81f6df6113ef3a2783e5d768604c063a35cf209067782917c1d11b05f54cb18262344db94165629744be2543c9fb19a764bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 177f0d226700cc69bc44d5ab8b30a0f8
SHA1 0c384f8d7a9f142967cbb5dd4fa6bb25be83f96a
SHA256 67a42b2f81a0122b6b4b908507ee317b473cc415810d0269528fd8f3f52054ba
SHA512 1d9923beba1cd118a024509f7d97568f4784e44417120e7154acbe59b12ba051a8cb326ac8ac79730b848e0c94db0d8d669562ddb5fd627f98c732b496e07045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae02c7cf6dc6812f282f294c9351cb4e
SHA1 f502244dd27e6123f304cebe6d135dfb4c67e36c
SHA256 4570524957ad6dbf3a620e9bf2f1dcee93adabd3746ad426d65fcb6eacabd5e1
SHA512 b7acf02c04a376c7249041676d8f0ad6dc5530db9565cb3681de8e720d1296ddaf8e83b485d5c8034f468ea0124aeea8d271326841b60a5dfe0b8fa4594cad9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9796a67e255814e7bb5f90e30a212dea
SHA1 459ff6f1c0039bc5f39706053470feda07d16573
SHA256 87ae5a39e7cafd460ff79ee170c392877a5ff56e1ae9970d7e862daa497b6cba
SHA512 0915b02005a6f8b6689e05ba39ab4b0be4bc31e0ba307916ee81f57c8734c655c6bc190f210daec9a0866b1a56215ed1aed435ed9f6a980676ade65f38ece730

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76f010cc9893b732ce5d7415682e6411
SHA1 b1fd4971337c9729300b1c8726a1b2e0f310930f
SHA256 ea547a8ea3ad194abf82c201852aff06dbc71aa56e311ad21cb9abc5c27b39ce
SHA512 f97d6a9fae90f2df10d524834d11181533abd5a2502e8409069a59a2c6393ad0e9942f57e0be8b2fb87f16c41943527049d1af25bc5dd5cce1c6d23793239436

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66774b692219315fa6f5d95377aec343
SHA1 307f02ea497a6e763449ec9ac4912255568e6f6a
SHA256 a897129d55ca2354ddb266cb232c29ae3dd1dfafc720274d89d50851824eec77
SHA512 a676cb0da23558c1b205bb84125329c9c2fdfdc831a852b5acfe4b714a77d2f94dc3b1fc92a739835ddc6b2e2d0395278cbd38cabe3b223c34da97991706b7c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 463e7e6e13306276e5f42f9915a73b29
SHA1 fc438b2c6391d6b4a79875a800e367869bb07d9d
SHA256 bde13fd908bab24f9849a4b8d424d00144d367bfea9a959676b55c7c012b6034
SHA512 9dfe67c5c4621e1437e5450bb576213fdfc191de4c09673fa4f05d6f2c5f01a35c3f606717068d32051bf49438fbe02b10b60f0083e8b6d0e3e24279c0b9bae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5cdfed7cf79657c329a6c9971880bc7
SHA1 80bd3f35e45d9e22ff11f0e142a39a9a157665a0
SHA256 800712bf19442a188b285c2271f2614c4fe74e2f3c80598d3b6f6db670efc0b6
SHA512 bf0d5c16b16b4825631e77c23d02a19cfab603faf45a9241efa73eb74419c47be6fc83c0ff379e9e533831b2047c35374afacf578d57b8b3fcf0eacef4c63fe2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a3dae02b793436e2b9dfae631c3a35f
SHA1 4360bb8e589e338e153949aa70295fcdc0dc0b90
SHA256 c255500f10e1a3ffb3b114b5cb78048178215446b84bb46be6b74896af5ef42a
SHA512 022fb9e9fcd74c79f48c061f07a2604cf5a470e1b3ac5a1a39675e00b109338e7e58f90f61d87247d92b5c43e38d3814f50ed182613a8ff4cd6f805b01e23b83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a063f9eeff6eb298e781f84776ba342a
SHA1 cdf49a3dcf94e822ead5ac46d14a9df1b8bf4a87
SHA256 9ee4e86b7f9699a2b97dfc9d7e91c7863cef180af1f2e8c9bddcb0d05a81ce6d
SHA512 41e53ac8ee0bd6676d25ee1075cf5f93d30bba562b7b5937d2d4f0015b551e903d473a3f71cd8ae4571f0a86b6134578bed580e69c613216fc1887836a7677d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a612454bfb306dc56cd16ecba1da8c9
SHA1 0c55d9f031e37e075d52ff543b6e2f322d262533
SHA256 077b24aac6fb668e38bf37b4331d56b6b8af0a4afbe0ac482304cd4eea41b613
SHA512 196f51e61a9eafd751c01b3db5f3c5e12e90b52a9f2dafba7d48e28308b5f57ed6c6b35d4613d4602ebc99d4200b685bf1f550e3967093c406b0e17e319aa2bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57c98640537c2c7363443f76bae0a950
SHA1 9c102d66a270e9d2a4bd64589a2ddd63924a8a4f
SHA256 ce53a4eccd912507faaf423e83897253f79778d863add37390c07b4297e4e54e
SHA512 80eb9f268b2a78e3d4c16d569d4d45f6a132f78d9128cb0ed4c0059741700ea7b74ffb542d90a2c3a79ded132b1563c00e0a274695ada20d44ea34bbd9a31581

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d69c45bab4fa52e1fe7b28e4c03e851
SHA1 87227cb89063472e46c4a1c21c77978f912dc4ce
SHA256 46f5964940138ef28b68b977121c6ce786891ed1383d4327fbb584dfc2657d9a
SHA512 89d317935f3ebe0b3f32dfd8afeedda3c0b2cee3e6edc1dfe867a2fa53b8b314cfce9352708bd5e87a5d95c0b6aec1f61ba434edf41843ee27131124dc0b6b64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e8a40a19be20762f90ee98b58e6b57f
SHA1 e17ef07b3f38ca5d8a8b248f578b5e19625d22f4
SHA256 3c765b0f94274886469300217da0ea9648173a8c3b2765976ab08dd78a7f54a9
SHA512 d91004f96860ea653c9b916502c95f1c21b3cfa03c60e2ef6312ff4f0e8eebbe615e894c569a16d6975b199f839e82727b8538734c31d1a7adc5db2f4f8da2ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 368378b1a635adde6e2089d21d0cffc2
SHA1 57d34828c50a27c6d2dd457c3da1a7da4a67f9fd
SHA256 6d98706f311f99a5a63f8c33484a0c70a8e433472f8f4301430c2beb22d2829c
SHA512 a0938a0026650af32b3c0ac946b1c6e941c07dc6e4fcae73c2b75f5a3eb99a5dde6fb8dc2fb650d69970a4fb8d89159d000b442378edba6d85e11c62e5f9d11a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bafe9f4e1e8e7e711e932430a8af2ee
SHA1 6f14d5fc7629c54635835c973cddca6b755ab330
SHA256 9b1ae2afc4ebadd5f32d8afc004a98f4e5ea3b1a31b27325ffedd71422285e1e
SHA512 8e63adc81edd786e587a9639cbba02090f01831573cb0f0086095ae13aaa11be5a53a723714accabe7ce968e9a63d3aae67af53728d34c3ef0ce0354cd8d6adc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a78989104ec197dc7b18af5e611e7e18
SHA1 f485dd1c18928541a7a6e63024773ab4e51d64a9
SHA256 8ec9c79aa3523b475adc8f62e7d176ea5b44026f1e3005a1729d392fb1556500
SHA512 aaa3d5f791ae782c02a210da9b53c7af07040708645f6a6fc525ec5dfed82abf35bc94a078bf054fe05e23dccfb6caf558fb274b6495b49a67c6578538cc701d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0784fe31996f53bd7b66a9b3ab3c74c9
SHA1 3b6b9847b0fd6309db3bfcd14c0888a9ced55f53
SHA256 a997f94f4299a02590fa8390f218344fa5bd8977cdb41f5ef9456bb9b95c5503
SHA512 8c02dc90f851cdfd1bbec2b43f79382a959ff6c8f6d870d43ed7b91f8e6d479fa036fcf5578cdc9071ef76ece65decbadf5e948578825e1d88135e15753fc0de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff702b1428680fa1e4a72046325f611d
SHA1 f0f2618a804a3e14af9b554aa1c7f7770e09f5a1
SHA256 6bbef5624deb8af006320312367318bfc4c04cd9d47d39d8a262227276ad8937
SHA512 6079a53e6e377504ded45682711964f7bcc9a0fb78d25c0c1cf4092f0e0972c061f81bd65c35e8fdda5308ce6d3a9d581611cb7861df92904cd5aab355f91738