Malware Analysis Report

2024-12-07 02:18

Sample ID 241117-j1982avgpb
Target a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761
SHA256 a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761

Threat Level: Known bad

The file a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit family

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:09

Reported

2024-11-17 08:12

Platform

win7-20240903-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxA802.tmp C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437992842" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45A65131-A4BB-11EF-B9BB-7694D31B45CA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 2364 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 1744 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1744 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1744 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1744 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2452 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2452 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2452 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2452 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1936 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1936 wrote to memory of 2704 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe

"C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe"

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2364-19-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2452-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2452-16-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1744-13-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2364-5-0x0000000000250000-0x000000000027E000-memory.dmp

memory/2364-4-0x0000000000400000-0x00000000004FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\default.ini

MD5 aef51e31c510213ff4196d40e577539d
SHA1 a5d7eecc7762778acc227af42874148a9ffab1cd
SHA256 a0ba7ec066715716747972401abee1f60c6ea96e76081b049197ce6740cb574d
SHA512 841f6bbf6fd00e9004475bbaad4fdaba1112192ee6d8fe240cf6b36d62f08d50c4cabf860dc066ae79e7b0cc215a2f166855afcf86b58cd0b2f4cce11393d329

memory/2364-49-0x0000000000250000-0x000000000027E000-memory.dmp

memory/2364-50-0x0000000000400000-0x00000000004FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD50D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD59D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab31de9e77d1564a0f8984538c9a87da
SHA1 28f349da2a005619e1773dc3b04403a2bac51579
SHA256 5bfe8ac9094e2208c53ed098874aabad0838473646dc9fc05918e23714a60285
SHA512 734779f65702c89acf2e8ddb8e4813eac9404881876aa6117e87d89dcb7043c685ff827286e0959040dd40bbb136980dd3aaecd637f50349ca6b3a01911eef11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab6712d118503357d8fbc36b5fe5ec6d
SHA1 d64a90f750bd9eee9f4fc7612efe324d02de34c2
SHA256 171bf2afdae862650cad4939fe0b93c2b1ccde6bdd2b6b649690c486736ed9ce
SHA512 81d2a6179a99274401c11eec218517789b287862fbf2f5abac6c2fc54a62125645a8bd4ed16860f3f9d7f6b1c5d2c9d5deb4bce2e776d1e92755396b08dff185

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc17b3a74f12d9e32e9b71c4fdd6fe65
SHA1 15161c4d7417a67cb30cb6984e2550a498e3f9f9
SHA256 40ff9a0471d000e5121e2afea64390ad47aeb6719245d1a7cb8e04510ad25cff
SHA512 95e0010b44d68426e3f2d91c04e7863bf3c5b88ddb6e7523b8841a9f96c0ea17cb36213de96c053da7f7848f3e6dcb690f7b4da34f7309b4d8fbf7c05f431349

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac33acf21d6f53225bc1c4af669ec2ba
SHA1 1a1e39fa88c0b1303856055a1c28495c0ae387a9
SHA256 41145f600120e32d7be395f439e1226ce6a67d380aabdb03dd7e12f7c32db05c
SHA512 cfb89e6e3a8effefed6f9e3d5670ebff7088b0e2823d755902845ff771e197fbbebd229fed607ce478b7352e8441418ffada1dc609962aca0ef9734db7277b19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e797e18a85fc89a546a373261c2ef44
SHA1 a8a06509f2c86074078798d7bd01894282e0bbed
SHA256 13c1f7501c483d31a986979efc15dd3778572072fbc59a7eaa5740a50ac727a4
SHA512 4f166e757c5fd1d2aa0bee54059e497c5cc7311b411ad05511a8c3601174328fd31bfa8e7d1489fbef95b82ebc29f5434aea87b627c96cdf5bcd3de2d422712a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc8546e30c836847a42809e4d06427fe
SHA1 fca62978113cda51668eae8d7d856d4998cc7e03
SHA256 467cb704e1d06fa1671f31fe6ca0468fe8e66ecbf1e2de16e12bebaa06f5be40
SHA512 dd993f90e2f6f7bde5f70a96987e26cd709e8858902b2d8696834896fd96b93ba25d99d48a5f76f9364a3e076438dc15fa8e8ca7fc6d8daf746ea1406c1c9dd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b4dc0d570f9b8dda1aa5babbf0e8290
SHA1 0268afe9a4622d23dc6ef41deb051ac1d1478b0c
SHA256 a93d3fd984c70b099dacfbd1debdeb671009d528543a9070815e08fbab83c887
SHA512 751e8d5fbd7f0897f8e72cb9c060b89a8f186a64b97dbbd1f518c06ea0d08a4675986aca78eb11e21bd85dfe1e00004ffe24ec488610612b954b62cd2bf639b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1fd2ca2140933c5979994b5c2e86a30
SHA1 d605ee4ee139e5107b29ea739cbce93af79c286f
SHA256 0d3916303ff19e5825895258cda7e7647daef5d9750bc31e784e797bcad5a1cc
SHA512 071aa46016a526b3d2af584b71864c8421d8f8f16ce263f391ea678c479dd5a8acecd12867a40a9b8607c2fc65509d5c87e9b8f385bd23df59aa720fdec3cd1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c21f2158774d9d5c735f85a6ef674e12
SHA1 9269f6de990a4e520213cf2c3a12982d490334a1
SHA256 054e5e4ad772c1467ec0300c8c1ff172e6b65c44961287673700d1ca92ff3c60
SHA512 456547de59a6882fc6a185b5245fe7d69dad65215197cec4a0e7c22abfeba5caf15bdb47d31966489ba6736054ef3c63ccd52e32b311b34d487e83cc5b7d8df3

memory/2364-537-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-567-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-626-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-685-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-715-0x0000000000400000-0x00000000004FD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87d574eaa41d985184c766007bede9bd
SHA1 f8e41915d3ff02d120895d20574a9115be143696
SHA256 986dd506b8e2dcbdd242b32129dcaad29fc1ad93b4fb5e636a4fad2d7e8bc4a6
SHA512 92e3d91fb33f12db7ac72d241b3c120b97482da8289f1627b72b87cf07ca9e9c3f2b1da5ba15fc31f10ee7cd8c695f1d9dff7a11a0cdbd1b71a0fa3dcd47a43d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afd725da35813530ce762621bcfd201b
SHA1 2cbbf4746921c7ca74d56ebc35499d5f1cc7b7b1
SHA256 de87289463a662c15ebadb0a10f4a3081f5a8b3e7d9e8afebbc098993a398689
SHA512 64131402147f3828dfd472a04f09f81bf62689a6328b1faf9b6d56fd82d540b7215623421e6f52e593f63c4e6219160ac2aea172151e83fdff74decbeaef6376

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e32d45acdb81bd6a28ba55cb7e6bb52b
SHA1 d0ec6901d7b94f918c009af6d5bdec0024c85297
SHA256 f42207ef5601a87f56b5bcec852ff460af9bae139101ff304d99b641aa216537
SHA512 84dcbeff80d87f3f2e4efa1bec8b9598ce35e3dc8b68804dffc89435444abca047e83165e4429a39d6a41388e0d189b702d8671ae2e72ac24afc77c96c5e5754

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1c46fa2536526dc07754f63d727e53b
SHA1 053c01283e9de0184df3228695d0875d7750e943
SHA256 7d88d3b7233f837dac8dfcd190b814178707ce967f8b825177c6ed20ded2376a
SHA512 2dd3f799b1003db9009ba206554ea09326182300f8da9fbdd26c699c0b29bade566421b6c63aff2dd049ae6c769f4f9bac9adbd6d50e78e90e105e18595b6bbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6095c71b253df09fb6519005f282cb4
SHA1 a5de2f450a7319c3f5eb35e56abffc689f50b2bf
SHA256 c6d8319bb5c8df841295f9d00a872646971e387730331204a6f1058a2c44380f
SHA512 3a91cca61fa3103902b08d44bfe74d4f781d589ba918a632d2fc04235b75b9f7755eabdae285ba5d9f2c077027dcd7be8f36051086ae296ea87876c15ff7b3b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8802c771bc76275485ca975d5e0924a5
SHA1 e91bf753da9c9a3b515f421df52564575ad17e35
SHA256 844b12275a671fdf805cd2595e8e15f43f67c4eb01485be479ea9258be4505d2
SHA512 6dbaa9a30ab8b8b47bca9af41992aceabe8736062ee0f911a3db788d5726766603a1a2c7498698a522105279419ff432b7a6e6f396096eb9cbf251cf82b4650f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 780973be538a5e64540305b995399a1a
SHA1 bda38d0e3d851a1a8ec173591de82daf4ebde03c
SHA256 b21b2fef48771165ea00019caebd09801bcc4791f86532d9b9145f3a38e59b82
SHA512 f0d9995ca2f28447e21f4fb924e51c43e57e1eaa7cb7d671f4202d695f7b4f5a6f3bd2be71b57e07ee55423a938e82fe078f0cb8d4b791ef79187227d8ea3df5

memory/2364-1098-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1236-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1237-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1296-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1326-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1385-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1444-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1474-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/2364-1533-0x0000000000400000-0x00000000004FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:09

Reported

2024-11-17 08:11

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px801D.tmp C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "376330873" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144136" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "373362055" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{416E9ACF-A4BB-11EF-BEF1-CEB9D96D8528} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438595938" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144136" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144136" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "376330873" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "373362055" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144136" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 4676 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 4676 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe
PID 4008 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4008 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4008 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3880 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3880 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4920 wrote to memory of 5028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4920 wrote to memory of 5028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4920 wrote to memory of 5028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe

"C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761.exe"

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4920 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4676-0-0x0000000000400000-0x00000000004FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a63164f44229806c44738061a92f951aade7838ee0dbcd61f827a5e255bcf761Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4008-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4676-5-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/4008-7-0x0000000000550000-0x000000000055F000-memory.dmp

memory/4008-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3880-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3880-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3880-14-0x0000000002050000-0x0000000002051000-memory.dmp

memory/3880-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4676-19-0x0000000000B00000-0x0000000000B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\default.ini

MD5 aef51e31c510213ff4196d40e577539d
SHA1 a5d7eecc7762778acc227af42874148a9ffab1cd
SHA256 a0ba7ec066715716747972401abee1f60c6ea96e76081b049197ce6740cb574d
SHA512 841f6bbf6fd00e9004475bbaad4fdaba1112192ee6d8fe240cf6b36d62f08d50c4cabf860dc066ae79e7b0cc215a2f166855afcf86b58cd0b2f4cce11393d329

memory/4676-49-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-108-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-138-0x0000000000400000-0x00000000004FD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 d2c6a662e9bd0c89bf8cd03b201f89bd
SHA1 7c019c00c24825eedda6b9fd3e200a39aa47771e
SHA256 08fec4715e35e941a8bc409fdafb8fab8c4b97e8883325b9082562eecc1cdca2
SHA512 332b7cf422c2f656208ad9add4b15ee0c4ee7ee0074f67be9b7af32e9b4b59d487250bedeed06cf1763c13fe0da82cefccc4ada975dd148bf686f9cad08fbefb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b325f0e73242a320dcbfb78f26b9c84d
SHA1 511945755426596d95d4903584936bd5d1cf3686
SHA256 dad089c56c00341562cb2eac45b6ffc14aee4a3bdd126ac858b8e860d27342ad
SHA512 55b26b70906785dc8e3ff0d90890f6e2aa4df4db5e96d9f653ce5bef4dec3af1a69b061c5f12b2cdc8382c7ea9565971a205e58f02915088dd688b858fa7b06c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFABB.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

memory/4676-210-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-269-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-299-0x0000000000400000-0x00000000004FD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/4676-368-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-398-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-457-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-516-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-546-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-605-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-635-0x0000000000400000-0x00000000004FD000-memory.dmp

memory/4676-694-0x0000000000400000-0x00000000004FD000-memory.dmp