Malware Analysis Report

2024-12-07 02:15

Sample ID 241117-z2kb1aycle
Target 29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe
SHA256 29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524

Threat Level: Known bad

The file 29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 21:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 21:12

Reported

2024-11-17 21:15

Platform

win7-20241010-en

Max time kernel

69s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxE428.tmp C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B80ADFD1-A528-11EF-AAD8-6AD5CEAA988B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438039846" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 3000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 3000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 3000 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 2240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2240 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2980 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2980 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2980 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2980 wrote to memory of 2852 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2852 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe

"C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe"

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3000-1-0x00000000013A0000-0x0000000001723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2240-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3000-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2240-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2240-9-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2980-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2980-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2980-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3000-22-0x00000000013A0000-0x0000000001723000-memory.dmp

memory/3000-23-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFEFB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFFB9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cad0cba62a4ff41e4d2e290cd6b2097
SHA1 6c807e1c7be5ddd0772dfc5b47bd00fe6e4262d6
SHA256 33c20477ec9a3404b6fdd3f70fd2a0af354a4ef94130215e140e2b10dd4d67c5
SHA512 6e1b845d66eb159d74531cec1bd3fcd33341bbbe734873ed0018bae530027fe93289284f27afb34b6facc28d53a15e4cd9a1b1d8f7c7c73bc52b58ce7d8a8937

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ae1b9f8f0791c3b9f4131d70792ed77
SHA1 018f8d6b9de686d5cf31e77f73012ba978b0e65b
SHA256 3bb6894e2580e8503fa8e51185e18226e14b5c59c534e15e5cf376b083ce56db
SHA512 20403e93d5faeab0367485ce21b912eef8ab4f0921062cba75b12b113809a9a2510f516921e36a5f139b6ff85d387d4baa250b8fceafb7b42e421739476415e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1f8e245305c1de397ea20b05e9e65e2
SHA1 d1f1179add3056a9c82839123c4d3bfc73e18a65
SHA256 6eb80e4f6b26dcb88a46f3a4ede44ff9b425bcfb3d5ece05e10e365eaf8b4b14
SHA512 50ea04fba52031270682958aae9f44b1a49519a1105004ae363bc256e3acb9a4e0c04ab4eccf821d35c6fc2cd7f025400ec03081ca2f284fb24bce5a5231b516

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4779463811e6e38e82d37a59def99136
SHA1 82b69464c018db3d1d8d0df3b45fdf069085a93b
SHA256 0260d43cc352f5e402b765f445c9de932fb7ba1efebe1cdefc3546a700151e5b
SHA512 1e355873aab8555052978aea0918d155d55e8eec4bec91bd17fc3d7d26449fc5390369691b0de3344edf561eb21195ca73b85c1188d210db5325b3760ac0bb5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6624c8d6378dcd44507d122e3111b329
SHA1 1af9a48eb53fb272a5a53d6b806611993a468710
SHA256 0ea2e9107d27a3f5aff6699bcd9b23d407ba8065f20c28eda6fbb15d3a49db50
SHA512 3344119a474fc944bd1941b283bd33bdb33e6fa488c9b3c38a30fd98cf7ede00330fdad47e01da92b69b8653467a4cf128aada7c2509a4951043b87053281998

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c387b66647ea67c93ac6f11d27aad87
SHA1 6ef9e4d7bc6e788080da8fb1175ec1ae813b6710
SHA256 0f179ddcc120db8e13022b6e31b0dfd69d3223ccfdab998f13a0e49803887eaa
SHA512 3869496a692f28d8e1df51965c004b26b0ec2c2563156f5dbe9ca9f64136c486955e7ae33e35757bf9fb2e9f6bc45d73f647c2c3c16143324c9dde46902b7171

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b2304c56ab6cad41fcdf39759c9477f
SHA1 244372d4abb1d9a52bfb01da974f3b6924f268e9
SHA256 27e1ceb274a15a81894775ab9434fb000d1cf252e840d0621852371609258e87
SHA512 60d1dec1ec78ffd995eb97a32d37b5acc9aadeab207e1ef3a049fec6d7b3df02bb7babd9be16291799416b174fd7581ecf8916c75873f778675ff919c14a4b33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3a43442c61c40170b95fdc679bacb05
SHA1 a5fe774a1fc9d7558f7e21d720584b0919184aaf
SHA256 d1721698d82133d32e147fb91d6a1ee135e3bd4227ac589b3dc538dc427f59cd
SHA512 9c016610196ccdc59dbb06892d364866eae222ed68c21a285b12f3a97726b1bfd2754ba93501aba397436ecc6c54481919962aed9572aa76dc76436a153bdca5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a92168f0995d49491c20f36c00efdca
SHA1 f0bf938999a3df4ce15b3d15085a92e8a542330c
SHA256 56985255ba4ed77e2a8759e9bf14a659e8fe87eb9cfdf9d81b68b2d42d0838ec
SHA512 d1d4b15235baa5cce35ab6389a9f8dedd20e89727a2438a680161c4db1d4911845b852ce857e98abe0c1a8aab18371ca5d510848e1dad127a70eeaa54d147f1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d9165760cd808b43c9a9e7e988b4b6a
SHA1 491d0d09600cd9a7385fcb981673a7c16aedbb30
SHA256 905bddecb3fbfd416d2e1ad20feb85cb19f94ab3ccba3a34f8fb0d6899651379
SHA512 3fb40615e91bcf76fe0b7449c4ca234cb2fd7e46a5f3d42aae76afa10b7840c8ba07fc19679c647d6fc89294bd2f4e169891fb26172dd08e8aa13f4c95a9ce2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89e7fd6ab64fb5258d37d5e90a8f5bb4
SHA1 d222e8d141afad0d4f61b25afc8d6fe5b7eaa281
SHA256 d56951cfe5cca5140e39dfc57aa2ed0ac233225ecd88df44c6d0335cd00b412c
SHA512 46a0ef80c20366d1f8a633e722273a7f63ad4c2d1c947469df94e170260e0030c0e97ade753b03d1c48e5fb20118f47f48affb68d1b4270747393f77371c18ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06b69cf987fbcc9e97901a4698c7fbe8
SHA1 55dc7ca3750602e5af34fe19d1071d1ef70da6d6
SHA256 9742e8ec6508a96a3ca8e76347dcf945eb6efbef93a90d3c897b7ab0db5c2cff
SHA512 43794581703312e8218353ae9ea664ff2b28f6cb1d460863e68dc9f650d056afb7024343791554198b23c828d5487be16172b3869d96a5b9348611b6f9046d2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6314b7841433b41fc4b1773cec7e6592
SHA1 3b96dd0aa0d9705feccd7194cde0b12ab9b1969c
SHA256 ca3684eea8726211b6ec9cd3fa309549112ebd90befa41ebc1f997afeffc29fc
SHA512 79a40467cc729d2d69915970df4d6a85d51183919288c76a618db13ae1f291132c8bd8975e79ed63d02a4b4152ef40e98d53cf54531f813cf15ff8db458d0517

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd7b59658ae83948c7c170370b99af09
SHA1 618dbbe400eb86bcab60141e4abcc8993c3546b6
SHA256 a6f7a59fcb2839f98d8c47026e65b37ac545c4f20527f52edf1d4e54bb3a82b5
SHA512 ea8a39efafee9f8afd8633c03eea6e820a0ed5919b5beb4616d2ab4c760f14d61410132f9b01c4795d82073e1812c5f970d497ad11c07cc4ae38cb3902e2ef5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fed8276682cc2fa2524082122505855e
SHA1 b5efeebb262c8f88cad803bb095722a6bd2994cb
SHA256 ee56b7d731a611f32b6d5fad30551c0491a771d144924087e7a7bc7051e4e7e5
SHA512 c2466db74877e12a9d512a9a2bd8ea3068d30ab3a038b85c06cebe2292a446a2d2807aa704e825c262351a706c29a0154d4f7370795f82661d81478290c4e03f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d7fb54aee842baf56edca661f3535eb
SHA1 83c40a3b4670d98c98e42bea299dc74bc03826c0
SHA256 d83eea9d62b0c86fd579032a0e2f1e2c672d423e92b80fb5abfe8f6182923bb4
SHA512 ea9588c967e17202a2f6d188da72b270ec04b233a24e72fb443230c4bd7497a0157fc37ea4e887b87a0de0cf9d0f85da36591fff98571d0f1b8a20fbff36dc4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe972576037f79186f9cb5ce60f144b4
SHA1 34d2ec454bd324b9e237e4e083e258d08e7f1ee7
SHA256 a87bca8fa57463359f21114b18d302f15447b481a5b7e73b21ca79f09b68b16e
SHA512 473612ad41aa0af13b582e0645dafdfd068b45f5ab70f147f97c6d10b9c69b7a0289add24057de3c95ddd371dbb51a01842690826da6349b8bbe4fc501502eef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb1fd50994dd732e7246ed693c3ccdca
SHA1 d3a52fac8ec75552f37ff1a4cb0f3317ebd1f5f5
SHA256 5d02c66263fa0c078fc8f7880d7f70e918bb38579a6c02e3aaab6d903c084ca1
SHA512 1ac1dec28b6b906a19620ad1c1949a8a26a450cb6a9e1a37c9549e0f8b63af461b8a63a7189f8d6a90580455d62190085a5116ad87df2f1fb4aa1c4ca9b5db76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba8256a54bd8241c5a7731a269a56a6c
SHA1 d1461b6348c7e0be65af555af186779827a7ee72
SHA256 2132bc41291701b6ad001e697ecf806677482be3aaee406209181e4f6b2fc2c2
SHA512 c328239ccb1dd8bc8a45163efade838aa44878e940a6e6880adc03200310eff8be47a6d7b04ec561ca4d5d3b16d50687390cdfdbd5c13eccf6e7a04220b8c499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16fa8e07dc28c9823fbc532fb9272861
SHA1 f9ecd0b785ee6d0d389aeaf26efe0a61d19d884e
SHA256 196228c61429927d0d1f0388fb3a3d754b1020d0b6a792f6ba5cd709ef655082
SHA512 57a886b24dc879d9526e516f6fa7a82942fdd0d14b998127d3e1074f754e0b37c207e185e291cc0a4cdcc4c4ad11c402686cfbc770105981026bafe5a72a1951

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdeb23cc76b459a3a23194dafc373c0c
SHA1 7a15b4dc3de5b4632f9e6cd6f244dab677fae3f0
SHA256 d2253d7249d2b37f9359cf19e5aac66bcce1e0f1cbad32dc3b99d6c643d1d592
SHA512 39cc766e3b203e45f60732985800bf21b6c0694beaaa985a2d9a3778b2a03b6eed47e8b7a2a87baf6c7edf38e599cc524c938a065483493c8d4da24fe3e89c22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f47f0a5c4abfdefadba7e154f332227f
SHA1 1667e98dfc79ca67a727991eca855c6b420e2e60
SHA256 8fa8001673a2aa5452601fcff38bd2620790029b936924b70a2f68aba6da5a22
SHA512 c7663aa7b80f2165d1b996462e531f0b862d929feb85479ccee62c9ce0ad12091743d1c221b546742752d62bbb61998acf57611d88c345b175bce860bcedbb5e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 21:12

Reported

2024-11-17 21:15

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxBB41.tmp C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2720077293" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2720077293" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2724295828" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144245" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CDA4750C-A528-11EF-BEF1-7E3D785E6C2E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438642988" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144245" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 4196 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 4196 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe
PID 1372 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1372 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1372 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3604 wrote to memory of 4916 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3604 wrote to memory of 4916 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4916 wrote to memory of 4160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4916 wrote to memory of 4160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4916 wrote to memory of 4160 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe

"C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524N.exe"

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4916 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4196-0-0x00000000007C0000-0x0000000000B43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29274dfda5c7f2a3cd0c793f6128f7429fef834f142e226dc8df2d9ea184d524NSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1372-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1372-5-0x00000000005A0000-0x00000000005AF000-memory.dmp

memory/1372-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3604-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3604-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3604-13-0x0000000000590000-0x0000000000591000-memory.dmp

memory/4196-17-0x00000000007C0000-0x0000000000B43000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 67b3270e9ee2455fec6e20353842018a
SHA1 afb768285ecc4fad9cb171c6ec0247e54a645746
SHA256 a0e3067884f99355e97dd1979abe971940e233b6d8426ca2f9caedc7f5b25456
SHA512 605ae45158f81452bfe383b3a8ec2407ce9c1bcd0d5b1372d13c870569105c764b89abf0a184fa3779770dba24e69b503ba7825026fcfd24fda06cce3ac9f3c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 2ba9468ec64ebb280330aa8a516bf7c1
SHA1 4a7c537f0d7c5896dd3143c5487d77188bcab610
SHA256 b4cfdd496a01831b997c253ed7da0b42645cb2ffe726da9ea0d9a40ce9dcd406
SHA512 c142a74f8c0f61054412e812ea81143c90f978878085a280276a9dc77f88f4460bd2e3289fd3c819afb1d1736295b20abfa1ff39e0226579b3310b69fa9735d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee