Malware Analysis Report

2024-12-07 02:15

Sample ID 241117-h39vlsvakg
Target 8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9
SHA256 8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9

Threat Level: Known bad

The file 8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit family

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 07:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 07:16

Reported

2024-11-17 07:19

Platform

win7-20241023-en

Max time kernel

140s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxC1E8.tmp C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED05AC81-A4B3-11EF-9841-C6E03328980A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437989683" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 2036 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 2036 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 2036 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 2344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2344 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1984 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1984 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2588 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe

"C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe"

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2036-0-0x0000000000400000-0x00000000004B4000-memory.dmp

\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2344-10-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2344-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1984-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2036-21-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2036-5-0x0000000000250000-0x000000000027E000-memory.dmp

memory/1984-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1984-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2036-22-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2036-23-0x0000000000250000-0x000000000027E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE207.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE2B7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a90e49b4ca39d206c77464b86779dc7
SHA1 9522ec6723b719db72c4126fd18bd582921fc86b
SHA256 6600e52d0aed97974a049ce6cdcc40d815fb8d3b711283fbcce81c2db0130769
SHA512 f689f70d1d639928f12c141dcb3ea877a943102f9ebc04196574248d5c061fc2db28c3d4d86e96e8eb3fc291362f6beb4b2ebb671a4b6a8db2ee1cba06671606

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5cebeee3aab13c73f9b390d3e436dbd
SHA1 ae2cc5778dd0e6e7151c79e56043c4506ba17ae7
SHA256 4b683437db3285ae641466ab49d42dd10f86cdb40e30e0d6b70c4ad4698f2778
SHA512 f7d7aebb4a8a1e69fd00d97b60087e85fbe89c866076a9ac0d2b101280240d876d6aef3e5059bd9445ad88cedc9b055062a308f9d66b211851ea6bda1735bc69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3fb4b1d453d9646dfd2fd889942cb1c
SHA1 7c6aad11a316b514697a1b56c292b7329be375b0
SHA256 18d44b9d2831360899889d35acfcc81ed548fc3201b2a4ee4c1224c585a39ca1
SHA512 3eec4306cc5b7230ae975749ad4bd4f2ba216b3dfeea361cf3658f18e153c573c4dcb0aaabb24dd864323ace3eed48c235de4d231ad4057644e972427f69a64a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdeb2e4fb72e3197bdb44d2a058e3c3f
SHA1 1a796dc33dcb2d8bd17e961f375ce4a61d39f321
SHA256 b7019a0398e68b6b77ae31613ab5b864e06d518744018f6f44f03bd350f1b526
SHA512 5610b70b8d56b7bbd2864b96cf5d41f1551984bde3a3e4e1a9f2b5cebeeb676dadf5fb296985404d6c331431eb24c6f9014c3eca92615148332657d7e84b3438

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f42249a607b358578a694342f0315b3
SHA1 8b14b6f11ff346512e256c5eae7283755d64000c
SHA256 31f0ba12c9eed45b0e35e992c807289dacd773084475cc00896808075ad84c9d
SHA512 b38f215df20344a9550ca340c404f0bceceb2b03f2b3e7d60391e1b8557c66f860b43d31e641a7ce8d3a6348f0d8c4156afa259ceda06a94ebba4973ae205c32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0f9b0667f16c06e6d19040996474413
SHA1 e49300346a7812bebfacc3afacadbb57021b6f97
SHA256 549abe18c9313b35c60f6cfa87de404f2a323e19878492f9dbae6edcecc9d3af
SHA512 52d2bcf5f0eaba8331ed0128b38d896d064775b6890378cf8c03344a0061d0e9b4607b92688fbc7e66e49801342f0ae2dc00d276e698d049ebda61374517b925

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc780a7a430c7b57ce6b31007c1ea234
SHA1 0e84abfbe18d8329898961d89b90e23f02a40d96
SHA256 66a45316ed1aae4d2e166946ec59ae5431db3420f6f3825725cd602d85579a72
SHA512 a66d1cfcb0f05781c62498ca92db3550bb9ebdaa96980dd28e62e0ed0f0834767f6c1e3e3a40bc9392f269debae0d6d890982270d940b77f8756da49f3de87ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 747d29dd7b4d8236007ad862267b2479
SHA1 ac809388809b2361f186c0cf4ca05a69d5bebed8
SHA256 614fd98866ff08429ee8f9a1876e2302f0175f55774d2f5270f87303206c4b38
SHA512 3ccabd3e5e43ec5d44bb1974f7b97bb3611fff3fee2b0b932edb9def77a3e010784e00e50c834d84cf18b47fe17f68b1f57f8533ad0d5d798b255b8612ec7bb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e0bd461040591ee5e82b362c1d4efba
SHA1 8e9023e414165d08c8f95416f9bb49efa7db5945
SHA256 578663236f6035327e3d70154c78dda866651f898bbeaddf6ff34691bd3e1f67
SHA512 5974f627f56ee7e8c376f24122bbf389a0566e8e04de0dbe99e5d5f04f7ca144aeeea5caedd373d9303c0871f27dd57175fbe6c7b110c813f56b67ae03e976c8

memory/2036-453-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a332375bfaf32f7473a2c9b892ac308
SHA1 268e7f4d2b8548cfad7dfbe22fd3a23f2c26100d
SHA256 1abb1dc878162baa4447b6a0016249f17a3470f6882c92c57cb8a7e4b38ddf52
SHA512 5f407f223f9f6deba53881fe8dc7adaab0bcf5d12ec8eb4f4b61f4b70e30ea204a097b541cd6a57501a516ca21549ce69b27187ffeaec507d18b9ee1a6b38209

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76586ced10007695b8959d502102191c
SHA1 7ae33630a812fb67335db87a3fdbb43e85fb95e2
SHA256 7de30229f9e38f91e9a657bc075980d03b56a9d01858805475a4130d7c25ee7f
SHA512 f33f7adbc70ade7316349f1dffe9a687d0d22c3029ba5b292ede757370a52bac2a1538018767be17630a849162a94329333c285938eb7e6fa4025692530770b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c06851508b7a413601fb626b19d52030
SHA1 3474382d982a9844f541cb08ee2495111829f086
SHA256 3694b67495cf27fc8a6fad457ff87fe59487d2887b802d8cff1e8f7bcf4a3a8c
SHA512 84b85e1e8596280da365d02b0a0463aa0ab40f80e188761275d4346f181e1596806bb8c41d3663893d3432246390b986abecd5bad87a68f848cc48905a7ddc4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 148c1a87efc84692d8555098fa5b8a61
SHA1 8bba325af5de048bc95a549c7a968b3186d2928f
SHA256 dfa12c71c60a547f1572b13511c822cee63b85387509c942d7a5ecc469eecf45
SHA512 51b30b9eaed2ca5580d4179a664f260668f208d32b098b9fec4c8083e38ecb1087cffac0e64b31ede15db8f983d8c6add21baae31d595636e211ec0246bf721d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17a951054aaec3f5698e50df27b1d541
SHA1 f005de77f4bb37a689ba0f704ca838153cef0bda
SHA256 0847175894362cb6893ac8d835f7f2ff33f445dad1a130420d3c911ce3e146f1
SHA512 d6684c3fa34a97b599348a35aa1946cb4de951193be4e02d7365e77f1627c55f3491333f6527f592cc7e6977ef1b1ed8697ae7616b33c8b01674e29388eee733

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f38d190d3383967b15647a0d8fcd3737
SHA1 0f8e4b77f6b1b8963fb1900197fd015f4bfb22cb
SHA256 b74961e7cba1dcdf04454c1b4c57c58b013cf2126f7c0b9bcdb066c353d34269
SHA512 73b6a2522b1ba0d373c0ec7dd9c06f69e4f33fee3ce1d2adff20cdbe5faa6c0833d8e513613984c06d0055b76e094aed79c6fc1db89277f7b6c090d6d2512b99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb57fc4a49759fccd1c990c9345d01e0
SHA1 ba17328d17956c7d65dccc4b7dec737d8257074b
SHA256 5fad57a82cf0a5313b9a2b7a3eff0683718b8d17b7f88e01aa7c7b96a628f61d
SHA512 30a1b6b19498d5dfd8fd5d499224b4ce93e6334740e6bd86d2442899f21b39d76f46970a9cd49bf14d90cfd28893da39d190d73de1410fda7e6c50aace1c0345

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecfc1ed6b08145f80ee68ab116c2c11e
SHA1 76fbb95372bf21b875ec301222255913460f9136
SHA256 2b410b494f5e1eb104eaa3b185b0ded60ce00aef93dbe34bb55233334cf05212
SHA512 8943b49f0b658ef378e5f3d7ccd792ea721985154e8c3b2550534cdbdc08c6fdb4aa9f5758d3db27e62b6eebd6e6cf288109aaad9220e7b028178b35206f9ee1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab23eadb2529f45ef1be05bb42e6a499
SHA1 6ccdf0dd86fbbfd38a9e3e054dac04d7f2a045a3
SHA256 ba14f739917b673254fab7e128a5a4ba3c3b564bb426c92b862ae0f0f171cb89
SHA512 339bba7b9cebdda97448afe64e552e3f821022ecc4dd9ab2da244fc4ec2c2ab43d145fa4f41abff83efcc55ba8fc79cdb71bdfc25a4f3c6b6ddee2f452c58cc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b4949ee09374fc2acec11098acc44e2
SHA1 04da70776debb129c7daf2cbdbf73034bef90854
SHA256 9b779fd78dc6ac745d4c4dbce445f969daf93aa4b95f8a826620dc60616ae8aa
SHA512 e14c11995cc03d4bf18abaeab665b06769edb680a9614ec5b70cf7f2fb818824263fdb5a3493f8eecadd91505a06ce3ed3d2304b2cab3cd85faf8844a172cf9d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 07:16

Reported

2024-11-17 07:19

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxC747.tmp C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3257326485" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438592791" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EDBD5134-A4B3-11EF-B9D5-FA9F886F8D04} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3262639297" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3257326485" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144128" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144128" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144128" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 4960 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 4960 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe
PID 4584 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4584 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4584 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4972 wrote to memory of 4588 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4972 wrote to memory of 4588 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4588 wrote to memory of 2300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4588 wrote to memory of 2300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4588 wrote to memory of 2300 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe

"C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9.exe"

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4588 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4960-0-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8dbb61a0d40951a0b9fe74788cfd16c3fb44d3f525b6f51a948aae103b2674a9Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4584-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4584-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4584-6-0x0000000000500000-0x000000000050F000-memory.dmp

memory/4972-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4972-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4960-14-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4972-13-0x0000000000560000-0x0000000000561000-memory.dmp

memory/4972-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4960-19-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d2c6a662e9bd0c89bf8cd03b201f89bd
SHA1 7c019c00c24825eedda6b9fd3e200a39aa47771e
SHA256 08fec4715e35e941a8bc409fdafb8fab8c4b97e8883325b9082562eecc1cdca2
SHA512 332b7cf422c2f656208ad9add4b15ee0c4ee7ee0074f67be9b7af32e9b4b59d487250bedeed06cf1763c13fe0da82cefccc4ada975dd148bf686f9cad08fbefb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 47dd4781de0aaee80ac1bbe909a046ab
SHA1 ebc5b00e319e7035ea493e2d3bfbf9d2a35ac433
SHA256 27f18b2e0ba9fff59bd5513cdf8e2eaac29d75055ab23451ce3da2fef31fccb2
SHA512 f1785334d8ceea49d6808cb465415ebbbcaafe102d88b216548cbba562796f677d604655104634d60b341008180a1676ff6ddccbea9ba9cabf5742bcd898afbd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee