Malware Analysis Report

2024-12-07 02:17

Sample ID 241117-es5ala1enn
Target 39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3
SHA256 39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3
Tags
ramnit banker bootkit discovery persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3

Threat Level: Known bad

The file 39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3 was found to be: Known bad.

Malicious Activity Summary

ramnit banker bootkit discovery persistence spyware stealer trojan upx worm

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 04:13

Reported

2024-11-17 04:15

Platform

win7-20241023-en

Max time kernel

119s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxB951.tmp C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{419A5941-A49A-11EF-AE37-6A7FEBC734DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437978658" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 2556 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 2556 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 2556 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 280 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 280 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 280 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 280 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1952 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2356 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe

"C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe"

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2556-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/280-10-0x0000000000230000-0x000000000023F000-memory.dmp

memory/280-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2556-8-0x0000000000260000-0x000000000028E000-memory.dmp

memory/1952-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1952-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1952-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2556-21-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2556-22-0x0000000000260000-0x000000000028E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD9AF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDA7D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5612134c33e71d3ba6f955f98386f16b
SHA1 8334113d20ebffc4c4c03ab752b86c5c07ac2cfb
SHA256 10b5900372d40c6fb6cdae31467db20c8d521be62ccbfb3fd6f4d004c1a04b06
SHA512 d8f406499c1ec24ed895b0ecde1cffdbeebf8648f4d1985d4eec8ef474ff151db06fa7a860ec8860d48d564bc2917a3d7784efb5e61f391faaaa83eb57eb2b56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bde3231629ca6b7d36f74866d4be5b8
SHA1 cf4d3398b189fd998ce6ab67899d2b9904415445
SHA256 bc9d3a49b5d36cc301a8a72a5e22009dac1adc43e2504c4501c277c8cb0d2cd8
SHA512 d1c328957c4600190935095ad34016685307e88a9f021854d4c1a2a0cfe28e8385473919cafe530d4d56a23be29f825084c3b96b8296d89d77feeb5f1df5000b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6dfd6dbec36681aaab2a04db39d6e269
SHA1 b06fab41aed84df406ebec89bb9fa0f386a8c8e8
SHA256 30c48522aa79714f1ced01e6f8ebd4cb9a3989f475c429650905ec5847509aa6
SHA512 cfa08c4545150f8116f08527bbd009563522ab736992de528205429d4596fe2870e860efc3a254e45a3ea26a01694782791f8201561198363ab2f5634144102d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dbf0207897249d18102a7f77d89a088
SHA1 56897b8d8ab4386271b764f4c7c98ec23fd11674
SHA256 1c5abf8063ff21dbd304ebf22811d2e762d64bd3d851d65c2f99cbebd969847a
SHA512 44e9c99d9a3d89d6e9305658533a1e610fee6234c0c53625a9c88e0aaf2988d94c2da76f7c7c2e3f4db5d76cb00f395a04f02149f25007924f7d891789b00ef5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae4227cae79750fac155ca9f5bb3a45b
SHA1 3e39b673c8143b5af46d7c2fc441ea86af9d8d0b
SHA256 4a557a0a8bf1f878dbb0e196bb8bd27febc37bb227d6e5f846884663648fbab6
SHA512 cf4b9c70c935094a504ca20e7585f31d49c51dd9fff97b701ba84f767b559b194b1d738ab52dce2bf4c834db56814c490dce1c14ac7a5da8f08fad86910a7aa8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37bdcb68fb19c99fffba5b4c40b72595
SHA1 c81b14eedfde08ae9b247cf44a5e46e3d2b8e388
SHA256 9087df44f19b18813a88995007dfe71e01b67be8313e6b3fbf5f400fcd2335f4
SHA512 51142c23ec32f20d84a1cb175f3327e3ddcf0031918ac955dbbc32ef29fa5eee8dd2b675fecaa925716e000b55f68ab23e0f0a6b8f1514088fa821a814026eb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36dd21b858f3bede0a079b38e3597c72
SHA1 7a5d009fc2329206126caef4747eb7ff4fd9231c
SHA256 a873f634c56b2610129ff0792bc7a1e8dca1343632f54ec5a820ee07293ac607
SHA512 e7f8c6c6b56bc4b69af0d07b5c5cb0f21c9c657d679fecceb5f20a56aa779b8bd8b1fbb6b701fad004beadb10a26e5ebc60374335e60c5f5ab49cfeccdd15a42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 151cb1ff63bba61c8b0f330948295a46
SHA1 cc312bfbbf1e0a0182dbbdc91cc96dc181f47ffc
SHA256 8d6f245b3bb734defac8095bd09acca78850999df1edb262cd629b3b83f8222b
SHA512 b7bb6b694f79a241859e0e66617716e44d97489b8bda09b21d30befd84b65452d2d6a973e6983fe6302128b0e79824b42373f7bfdab3c2831ad80136115c4230

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c571e47f92745a0c98852639671c267c
SHA1 e071fb3b5d468a8e48fcf37b29c60bf2564329b7
SHA256 284fb0c4cacb6ca8b2ff951ad878dee8b9e4404e4e8e27c40463fba556b3fbc2
SHA512 85bca32f502ec022ffc5089aaf2224acf4b6deddb2ee25c81fd99c2d99d66548fc8a09422a7ed0b95894ab817b61343aec3d9c5eb8be6debae8d7c1a875cf10f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74df43f020509dee721a70c2ca7d7153
SHA1 1ed6e4aad38342319633a0cb8143ec0ac5e3bda6
SHA256 e523e133dada2d66491c17a279457e2bdf9202e71fc323d91eb66fdcb9b012ae
SHA512 e41a2b3a5d5c740c4d3355c8bcf8cc86b74eb67bd0371baa8e5c58638954f84885a1b8c8895ae416a6df685decaf8fe5e7eb563329288879a7ffb06556c529d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 218bfc32220b224a5f3a60fda012ce13
SHA1 d8ebdda7d864a86a114c3380d69fd2a487b9cbdb
SHA256 2985edc31a776d14d73d0d2fcbf47d095cccc694075e5ae65e84a9f805dde2dd
SHA512 b4f5485eb6815272258f981e9c8a0e6983f623eeb56d92cc74f845940c82cdf1f5865acbd0e357a94b7095f82931b262e5bf8023ee98b7d1a357d4fe269f61c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fea27a410552aa07a24a3688d80fa33
SHA1 b3286dff85224e4c6d8e477a04d8a5bce90b1575
SHA256 5c389300e3b59f244f7017292f64fdc9c1824dde6111346d6d214807492b7ff7
SHA512 6908e9afd08778129c2a4e7b07e8ba46dd18ce3e425327ecf3d8d511eb8dec886a89dfbaeebe06655d8a0ff9496b435489f7dfee926b4f2bf1a906c843ed6cac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a37684026243a6a89455518d2a431981
SHA1 2328d9b7bb6cbe33e7db2df4d0d36f7576cd7a01
SHA256 7373a019237cae0ff8e4c7c72006648ab81b6b3bed53b5635c4bf904173ef744
SHA512 8dc2d5cd36d4213275c1928acb9e9f3611c7a163a06a2ade9ba28437263be3a67f1f8056c386ff1eb21ec1ef91b0f2dbef0cdc43bf37d84407572a54a6ca7128

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ddc98203a46b05a205df8feb5e4ae2e
SHA1 60e761424339366b7df5bbf160b0dabeb1f1899c
SHA256 c6ffb4b6c2f9627e2c69f90b5118bf37740f565517803a8a47f0b17cbd380379
SHA512 d215e1f397a96354fe6e0dba4d32622daa204ead8949ed8cd5c7b19e0298c492b996fca9ea99ba42acd813bb27b0910e0f2ee8de331ffb87c1c9f6448d39347c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2ed2df0aec34f1be1a0681d5f5a61e4
SHA1 b3fd13771f4e8cd1321f466b270e274dc7ee5a66
SHA256 fda542a29a975c088dd9d559502021200549f03fdd1eac965b2f0e1b6bda8f0d
SHA512 9840d1cba7cac4b883fb1c8058b6f6499ca35101e9381446da490d10c27754416a52ead374190696d44567e65fe4081fbea333db4005c3770cd7e2e7ac49473a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d5c178d4d6503c5dded7fa78f3fbb57
SHA1 a3b4990d22d801ec01c0bccb9e4926d851804a1b
SHA256 3552a534babfc1ecf50daebd4a91d40f012cb136d96948a42ee77c8cb09a6d59
SHA512 ddcaba6485e982f54d1626eb7064d6a2cdbe744e288ac91400cb270c09cfb0c89474803c6e6a1b1dda9e0bcbf627463567139481a7b49266df8a4e1cfcbe9302

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6dbb79668b239e4c348f70e8d645f8cf
SHA1 16784965530ca109e4ee83885514ba49e8220509
SHA256 f9c50e8552fee5163acca0e335b51d603dc2cbbe2aea9f07fbbc62155f816c35
SHA512 9a6697ed7d66dc42f4d64f3d15afe133503718abdb153fd55b58aa2a00121981a0ccc59b5d8c55a9580dd49a927fda3b06ca8009ac1174ee1328f0ed3096341d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 989644f22464a3dd02d89aa5f1b2b3f1
SHA1 d9d2e72f2167c01979ba2bffb6f2d290cd08ee1f
SHA256 8e3b358761b1035067e3ccf19f1049008f7cef7e3b3f6dcb5bc23baad80ed496
SHA512 b887685aa08c5faee890cd5b80a8e354e3fed7b6ac67085ce507da965488540c56bc023601a9061b23f903244b0168b32269fca4e91e04009aeea3f53d3933d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 397dd12a5c9fdab2c5c8a663833f3e99
SHA1 d5d21dca032c92fca8c4fd5909a6754faeb49595
SHA256 3a97a838538e23591579b99cb1857c1e9fd8b3135e0c90f1b4c3ae64dfcc5f49
SHA512 4200123e2dfd7a7b4e588e14328f47203fc95d0168b837df36af3e852cdd3e67c3ee956abebf0e60b81529b1b5c37494c7f3130ad2a5aaba78e51c2a34a4085a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 04:13

Reported

2024-11-17 04:15

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxB9CA.tmp C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144103" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144103" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438581768" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4389DB0B-A49A-11EF-9361-FAA11E730504} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "401358892" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "401358892" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144103" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "406671176" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 4560 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 4560 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe
PID 3052 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3052 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3052 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3528 wrote to memory of 1220 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3528 wrote to memory of 1220 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1220 wrote to memory of 4464 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1220 wrote to memory of 4464 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1220 wrote to memory of 4464 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe

"C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3.exe"

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4560-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39176b24223d03d6c8701d6b52a895dd42842588af0b6e017e7c9c8cd08975b3Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3052-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3052-5-0x0000000000480000-0x000000000048F000-memory.dmp

memory/3052-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3528-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3528-14-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3528-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4560-17-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d2c6a662e9bd0c89bf8cd03b201f89bd
SHA1 7c019c00c24825eedda6b9fd3e200a39aa47771e
SHA256 08fec4715e35e941a8bc409fdafb8fab8c4b97e8883325b9082562eecc1cdca2
SHA512 332b7cf422c2f656208ad9add4b15ee0c4ee7ee0074f67be9b7af32e9b4b59d487250bedeed06cf1763c13fe0da82cefccc4ada975dd148bf686f9cad08fbefb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2489713ba3b2f758ccf65976bafc7d29
SHA1 a330bb83d61136a46ba7359793582ea617a95c2f
SHA256 b3169661dfca9d45a775fc806d507c6a0912e07057bcf6f118d8eed09a3ba822
SHA512 e9317f5f49c204b559105e92109bc4423544f03f939c74473713f843cb7ad964715cb47758426c6ed0b35e2ad26cd3137b349f57ebbd356a1311649f375850b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee