Analysis Overview
SHA256
a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761
Threat Level: Known bad
The file a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761 was found to be: Known bad.
Malicious Activity Summary
Ramnit family
Ramnit
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 08:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 08:09
Reported
2024-11-17 08:12
Platform
win7-20240903-en
Max time kernel
144s
Max time network
140s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\pxA802.tmp | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437992842" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45A65131-A4BB-11EF-B9BB-7694D31B45CA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe
"C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe"
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2364-19-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2452-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2452-16-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1744-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2364-5-0x0000000000250000-0x000000000027E000-memory.dmp
memory/2364-4-0x0000000000400000-0x00000000004FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\default.ini
| MD5 | aef51e31c510213ff4196d40e577539d |
| SHA1 | a5d7eecc7762778acc227af42874148a9ffab1cd |
| SHA256 | a0ba7ec066715716747972401abee1f60c6ea96e76081b049197ce6740cb574d |
| SHA512 | 841f6bbf6fd00e9004475bbaad4fdaba1112192ee6d8fe240cf6b36d62f08d50c4cabf860dc066ae79e7b0cc215a2f166855afcf86b58cd0b2f4cce11393d329 |
memory/2364-49-0x0000000000250000-0x000000000027E000-memory.dmp
memory/2364-50-0x0000000000400000-0x00000000004FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD50D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD59D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab31de9e77d1564a0f8984538c9a87da |
| SHA1 | 28f349da2a005619e1773dc3b04403a2bac51579 |
| SHA256 | 5bfe8ac9094e2208c53ed098874aabad0838473646dc9fc05918e23714a60285 |
| SHA512 | 734779f65702c89acf2e8ddb8e4813eac9404881876aa6117e87d89dcb7043c685ff827286e0959040dd40bbb136980dd3aaecd637f50349ca6b3a01911eef11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab6712d118503357d8fbc36b5fe5ec6d |
| SHA1 | d64a90f750bd9eee9f4fc7612efe324d02de34c2 |
| SHA256 | 171bf2afdae862650cad4939fe0b93c2b1ccde6bdd2b6b649690c486736ed9ce |
| SHA512 | 81d2a6179a99274401c11eec218517789b287862fbf2f5abac6c2fc54a62125645a8bd4ed16860f3f9d7f6b1c5d2c9d5deb4bce2e776d1e92755396b08dff185 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc17b3a74f12d9e32e9b71c4fdd6fe65 |
| SHA1 | 15161c4d7417a67cb30cb6984e2550a498e3f9f9 |
| SHA256 | 40ff9a0471d000e5121e2afea64390ad47aeb6719245d1a7cb8e04510ad25cff |
| SHA512 | 95e0010b44d68426e3f2d91c04e7863bf3c5b88ddb6e7523b8841a9f96c0ea17cb36213de96c053da7f7848f3e6dcb690f7b4da34f7309b4d8fbf7c05f431349 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac33acf21d6f53225bc1c4af669ec2ba |
| SHA1 | 1a1e39fa88c0b1303856055a1c28495c0ae387a9 |
| SHA256 | 41145f600120e32d7be395f439e1226ce6a67d380aabdb03dd7e12f7c32db05c |
| SHA512 | cfb89e6e3a8effefed6f9e3d5670ebff7088b0e2823d755902845ff771e197fbbebd229fed607ce478b7352e8441418ffada1dc609962aca0ef9734db7277b19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e797e18a85fc89a546a373261c2ef44 |
| SHA1 | a8a06509f2c86074078798d7bd01894282e0bbed |
| SHA256 | 13c1f7501c483d31a986979efc15dd3778572072fbc59a7eaa5740a50ac727a4 |
| SHA512 | 4f166e757c5fd1d2aa0bee54059e497c5cc7311b411ad05511a8c3601174328fd31bfa8e7d1489fbef95b82ebc29f5434aea87b627c96cdf5bcd3de2d422712a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc8546e30c836847a42809e4d06427fe |
| SHA1 | fca62978113cda51668eae8d7d856d4998cc7e03 |
| SHA256 | 467cb704e1d06fa1671f31fe6ca0468fe8e66ecbf1e2de16e12bebaa06f5be40 |
| SHA512 | dd993f90e2f6f7bde5f70a96987e26cd709e8858902b2d8696834896fd96b93ba25d99d48a5f76f9364a3e076438dc15fa8e8ca7fc6d8daf746ea1406c1c9dd5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b4dc0d570f9b8dda1aa5babbf0e8290 |
| SHA1 | 0268afe9a4622d23dc6ef41deb051ac1d1478b0c |
| SHA256 | a93d3fd984c70b099dacfbd1debdeb671009d528543a9070815e08fbab83c887 |
| SHA512 | 751e8d5fbd7f0897f8e72cb9c060b89a8f186a64b97dbbd1f518c06ea0d08a4675986aca78eb11e21bd85dfe1e00004ffe24ec488610612b954b62cd2bf639b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1fd2ca2140933c5979994b5c2e86a30 |
| SHA1 | d605ee4ee139e5107b29ea739cbce93af79c286f |
| SHA256 | 0d3916303ff19e5825895258cda7e7647daef5d9750bc31e784e797bcad5a1cc |
| SHA512 | 071aa46016a526b3d2af584b71864c8421d8f8f16ce263f391ea678c479dd5a8acecd12867a40a9b8607c2fc65509d5c87e9b8f385bd23df59aa720fdec3cd1f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c21f2158774d9d5c735f85a6ef674e12 |
| SHA1 | 9269f6de990a4e520213cf2c3a12982d490334a1 |
| SHA256 | 054e5e4ad772c1467ec0300c8c1ff172e6b65c44961287673700d1ca92ff3c60 |
| SHA512 | 456547de59a6882fc6a185b5245fe7d69dad65215197cec4a0e7c22abfeba5caf15bdb47d31966489ba6736054ef3c63ccd52e32b311b34d487e83cc5b7d8df3 |
memory/2364-537-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-567-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-626-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-685-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-715-0x0000000000400000-0x00000000004FD000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87d574eaa41d985184c766007bede9bd |
| SHA1 | f8e41915d3ff02d120895d20574a9115be143696 |
| SHA256 | 986dd506b8e2dcbdd242b32129dcaad29fc1ad93b4fb5e636a4fad2d7e8bc4a6 |
| SHA512 | 92e3d91fb33f12db7ac72d241b3c120b97482da8289f1627b72b87cf07ca9e9c3f2b1da5ba15fc31f10ee7cd8c695f1d9dff7a11a0cdbd1b71a0fa3dcd47a43d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afd725da35813530ce762621bcfd201b |
| SHA1 | 2cbbf4746921c7ca74d56ebc35499d5f1cc7b7b1 |
| SHA256 | de87289463a662c15ebadb0a10f4a3081f5a8b3e7d9e8afebbc098993a398689 |
| SHA512 | 64131402147f3828dfd472a04f09f81bf62689a6328b1faf9b6d56fd82d540b7215623421e6f52e593f63c4e6219160ac2aea172151e83fdff74decbeaef6376 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e32d45acdb81bd6a28ba55cb7e6bb52b |
| SHA1 | d0ec6901d7b94f918c009af6d5bdec0024c85297 |
| SHA256 | f42207ef5601a87f56b5bcec852ff460af9bae139101ff304d99b641aa216537 |
| SHA512 | 84dcbeff80d87f3f2e4efa1bec8b9598ce35e3dc8b68804dffc89435444abca047e83165e4429a39d6a41388e0d189b702d8671ae2e72ac24afc77c96c5e5754 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1c46fa2536526dc07754f63d727e53b |
| SHA1 | 053c01283e9de0184df3228695d0875d7750e943 |
| SHA256 | 7d88d3b7233f837dac8dfcd190b814178707ce967f8b825177c6ed20ded2376a |
| SHA512 | 2dd3f799b1003db9009ba206554ea09326182300f8da9fbdd26c699c0b29bade566421b6c63aff2dd049ae6c769f4f9bac9adbd6d50e78e90e105e18595b6bbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6095c71b253df09fb6519005f282cb4 |
| SHA1 | a5de2f450a7319c3f5eb35e56abffc689f50b2bf |
| SHA256 | c6d8319bb5c8df841295f9d00a872646971e387730331204a6f1058a2c44380f |
| SHA512 | 3a91cca61fa3103902b08d44bfe74d4f781d589ba918a632d2fc04235b75b9f7755eabdae285ba5d9f2c077027dcd7be8f36051086ae296ea87876c15ff7b3b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8802c771bc76275485ca975d5e0924a5 |
| SHA1 | e91bf753da9c9a3b515f421df52564575ad17e35 |
| SHA256 | 844b12275a671fdf805cd2595e8e15f43f67c4eb01485be479ea9258be4505d2 |
| SHA512 | 6dbaa9a30ab8b8b47bca9af41992aceabe8736062ee0f911a3db788d5726766603a1a2c7498698a522105279419ff432b7a6e6f396096eb9cbf251cf82b4650f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 780973be538a5e64540305b995399a1a |
| SHA1 | bda38d0e3d851a1a8ec173591de82daf4ebde03c |
| SHA256 | b21b2fef48771165ea00019caebd09801bcc4791f86532d9b9145f3a38e59b82 |
| SHA512 | f0d9995ca2f28447e21f4fb924e51c43e57e1eaa7cb7d671f4202d695f7b4f5a6f3bd2be71b57e07ee55423a938e82fe078f0cb8d4b791ef79187227d8ea3df5 |
memory/2364-1098-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1236-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1237-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1296-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1326-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1385-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1444-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1474-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2364-1533-0x0000000000400000-0x00000000004FD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 08:09
Reported
2024-11-17 08:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px801D.tmp | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "376330873" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144136" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "373362055" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{416E9ACF-A4BB-11EF-BEF1-CEB9D96D8528} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438595938" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144136" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144136" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "376330873" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "373362055" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144136" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe
"C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe"
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4920 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4676-0-0x0000000000400000-0x00000000004FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/4008-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4676-5-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/4008-7-0x0000000000550000-0x000000000055F000-memory.dmp
memory/4008-9-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3880-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3880-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3880-14-0x0000000002050000-0x0000000002051000-memory.dmp
memory/3880-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4676-19-0x0000000000B00000-0x0000000000B01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\default.ini
| MD5 | aef51e31c510213ff4196d40e577539d |
| SHA1 | a5d7eecc7762778acc227af42874148a9ffab1cd |
| SHA256 | a0ba7ec066715716747972401abee1f60c6ea96e76081b049197ce6740cb574d |
| SHA512 | 841f6bbf6fd00e9004475bbaad4fdaba1112192ee6d8fe240cf6b36d62f08d50c4cabf860dc066ae79e7b0cc215a2f166855afcf86b58cd0b2f4cce11393d329 |
memory/4676-49-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-108-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-138-0x0000000000400000-0x00000000004FD000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | d2c6a662e9bd0c89bf8cd03b201f89bd |
| SHA1 | 7c019c00c24825eedda6b9fd3e200a39aa47771e |
| SHA256 | 08fec4715e35e941a8bc409fdafb8fab8c4b97e8883325b9082562eecc1cdca2 |
| SHA512 | 332b7cf422c2f656208ad9add4b15ee0c4ee7ee0074f67be9b7af32e9b4b59d487250bedeed06cf1763c13fe0da82cefccc4ada975dd148bf686f9cad08fbefb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | b325f0e73242a320dcbfb78f26b9c84d |
| SHA1 | 511945755426596d95d4903584936bd5d1cf3686 |
| SHA256 | dad089c56c00341562cb2eac45b6ffc14aee4a3bdd126ac858b8e860d27342ad |
| SHA512 | 55b26b70906785dc8e3ff0d90890f6e2aa4df4db5e96d9f653ce5bef4dec3af1a69b061c5f12b2cdc8382c7ea9565971a205e58f02915088dd688b858fa7b06c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFABB.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
memory/4676-210-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-269-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-299-0x0000000000400000-0x00000000004FD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/4676-368-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-398-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-457-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-516-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-546-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-605-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-635-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4676-694-0x0000000000400000-0x00000000004FD000-memory.dmp