Malware Analysis Report

2024-12-07 02:16

Sample ID 241117-zyw7dsxqby
Target dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.exe
SHA256 dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8

Threat Level: Known bad

The file dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.exe was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 21:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 21:08

Reported

2024-11-17 21:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px5689.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E318761-A528-11EF-B30A-EAF82BEC9AF0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438039587" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2792 wrote to memory of 2552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2552 wrote to memory of 2080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2552 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2760 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2468 wrote to memory of 2948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 224

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2552-0-0x0000000000760000-0x00000000007F0000-memory.dmp

\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2552-5-0x0000000000660000-0x000000000068E000-memory.dmp

memory/2080-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2080-9-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2080-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2760-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2760-21-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2760-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2760-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2552-23-0x0000000000660000-0x000000000068E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6CA9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6D79.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f9053bbe05d755f48c0c510eeddadbd
SHA1 7c55ce4b57ac8ab7109c97aab29c51d2ad70c3e9
SHA256 5044a886faa06d98b1b1368bb26c7a02aecbf403167d49e62eff8215362736c8
SHA512 b630a350d8aa76e69e0fe89410e3eda2cf0917f6130698e3252884b4b6d0a7a5d0779a67c21d5942775a00217da7400dbe00cacce05d9ae8408f9281fcc0e631

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d136cc81a6dc2508687059cbd6255da6
SHA1 964e53518207e819b6423610e18af213732e5ba6
SHA256 4402e6afea9a1da07f098e419f92e8f85ca30acfc97badf4c15ec6d94f451d0a
SHA512 14565196a9f15d98a9abca340e95deba08890d47325b9d044623bb4a1a956af12134334c37788a5777207e9ef29535008f6730c5eadf4c41c8452e8264f19f69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0a57a2727960ffd846c9ba2ab5d5282
SHA1 4f97e6584a8bea5830221e33fe1babcd4e2a93dc
SHA256 e6a552c4dc1ce56d3d18f5d3c45fb1f4ffbef8d6c153a6246f8d431aca188e85
SHA512 3e8cba8bbffd73bfdcbb815b363ad5def34626742fc3d17ef085cd3276a77ce489074677966d84b071a3edd10ac099f52a08bad697a81a0be8be3638980db590

memory/2080-146-0x00000000002E0000-0x000000000030E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebc05964204cb8a2b12da940e1705f9c
SHA1 b5643270580e8c695de202538f715aeb4187371a
SHA256 7b6792cf3e4d49c2ad2235a78d3b36c560ccbd0e3cd2f253c644991538af45c9
SHA512 96e6d79246014714be455b5d40726ae5541099074a4ae1ef1370e0259c73a393fa3a1228b66b79b56c0e6fcd46a8cf1e28f6e3dbc065172ba407f7c17a48a866

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71887cc6d564727d4079401ab8d891f4
SHA1 921349908bff0b4fae199b8fce520bee0022512d
SHA256 9619e80cd201d99f318ddf8fa3d856dea15a08687635d0381dbecf55e060f7ee
SHA512 ee43a32171bbb1701d2ee0c0f00f25e5e432a922766d6a876dc760663f4a16161e1f62ce90d1d9b99b3126ac60e8d162364e697dfb1dd5bd0d8cc695a5c3e645

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15dfeebf9111f500a04c1e64ca3130cf
SHA1 e9300a1e46a3e5f6a68662a79c04f40a5eafaec5
SHA256 769bc6374545c7ab014be089482d95809b7cb4ff7848fdcd23975923586b002f
SHA512 8c205ed88b4b5819371f52f5cc88e03dd57412fc0661d4acccf8a612d6c40f9502eee88ac73db0e29a163a65a0c1901a03377b86b077953246de1fdf4e30c0a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce5f58adc478b48e0d8b0e37b6350e2
SHA1 94b40d82c21b3a81cc848dfdb17dc6da92f2093c
SHA256 341a5a7ff9911a93dd22e407082de81675465b565761c2d9683e81299be27346
SHA512 295007010b2d37edfb9793e4c661b78de257b6e53d27ae6adf4724cf80428456b2490f35f6479545ce1bc65bb00069582dedd536a60598f5704cdc99aa1fc236

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33a716995ef65a8638ccbf37227e94e5
SHA1 2252a79552cc1bd5d14d2b58ec29bbcb330472fd
SHA256 403f369200ca8fc8f89847e7efcdb6438dc7a06329aa41b3aba6a206a4607ecd
SHA512 84a4ae4830ace79f4033022fc78ce3136a2c02cafa554246866b6bea74b9faa6017204aa0b57e18270868ee2eddfaeade68450dbcc19d7a39ea742d3b7ddf928

memory/2552-453-0x0000000000760000-0x00000000007F0000-memory.dmp

memory/2552-454-0x0000000000760000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa70f335c2a3c5f73faa5292bea9f76d
SHA1 be66b419f2dbc900f8c45105825a7cece236e0e5
SHA256 d5c684ae7d6a1831762a16b03f5a6095f5a66a9ccac79b45e112129a3c3d4c97
SHA512 0538c55fbb01259f4a57c03d51352f39f640383811167a6492170f266f8f08b1fe1ea48a87d58e262787605401083b28ba1459f12ab787894907752088369c56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07210408d7298158f3bcf93d0fc7db14
SHA1 bf1f1f7ff1904e3cca2eb340c8e3c07aa3bf79b9
SHA256 213e2a9a7252b7873ddaa07c00f1c2253d0a286891b8c65676cafafc73608e19
SHA512 99fcb3a18d0956be47d3e9b662e285ae9064ebbaa508d9e4e1f1545bd59e5083e38c10189013ae58c19f7dd1e5ff9d890917d9a74ed6dc00f7d53d9a959075bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05e4118eea4e7ba287d17174fa18d474
SHA1 09fef6431722902ced5e077258e816f61ef6c8f3
SHA256 323dce10d5a122f75f15f86735ae0a2eb2d5a8beffdb10568356b2193355586f
SHA512 468433b7497b9eecb96d268b171e2edcd482f3ec12c6a1543ee1689ad17e3a5df5f268703dd8bc9df955682752eeb31726a14f60627581527ed4f7c038281439

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 230be8048822f6d41a55b007d4164905
SHA1 3c2e9c8244289885776e425ea8c903643528710a
SHA256 9b63a4b1345a1f76f5df39c9d06b16266fa0fe18d98c1db8ab933c636c91839c
SHA512 5c4d3b5014309aaad35dce3f51a928724ef0f9b8499bf02ad505b5bceb4449b7616e586613026aa5c74768a2bd940f0902c4cf3866d8029938b68274e3f6b1ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43a0233968bfe4fa1af324b7dfe4785d
SHA1 de5477f9608e23a42af4a42d910abd1ee2633e56
SHA256 4560f32c45b3fd5f862ed6ac48cc79682b9ebca81bc41eb8c48330a67f05c8c1
SHA512 f4ae188ba11a20249bfda4ceee1120ab85fad340d7e44493fbcce932737a2509ffd14a7bf33bcb4c714d4e6a163e42c216bf007b6ff694470ad27fb30e09057c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f01fedb430de399522a26a2964c80ef
SHA1 547e3b39c11e2847a4089f4cee0a76abc6334872
SHA256 9f3b0e3b6b97f4597c190251cce3c45ff32c25e9fc30d97b3de1b939d3fe416c
SHA512 2b8c6286772be39a7a50e1b7563aa0b97e4bc0e713ae839e8e6829717d82868ad4209e53b5235c1265316bec79b9bfc3c4147486a588df7d189c36653519e8b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9c4d6e9f3bf2e2fee04996db6ac0a28
SHA1 10c821505060795fc7930f150c3cb9037433dfbe
SHA256 0ea03acd02597aa38cd2ff5fb14c9d8cb02e1d263260fd3c0fe072f7432a77d7
SHA512 ed34d4ba6eff64667c1f49ca5ad988baacc033c49a3a3cf9974f8f108995ea6022c61320c12dec8c396d113ff358c085541634fcfe41d4df50c0ae3177ded629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 650f2fa4992af1ced44bf589ae9b00a9
SHA1 d3831f21ba5ec27f4e2ca643db6eb8b1251bf75a
SHA256 8a56a149ad1f463129c9faca37ba708423ebbd302f93564b782d1cd18f33ed3c
SHA512 b2c9cf079e59c921f28cf1f3512c30eabfe6065170ea3fad9bfee3dc175ad482351b54e2a81c27b172f34fb3f645f66f2725f77e3ca7a9e0a903a9fed6acc9ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9354bea57487374e26c96e4674f6b796
SHA1 c42920dc2e12c6ae72fdac76eefeb162d4bb5156
SHA256 74250b5c6c04a3db6f2f7b6b03b22ae1cfe9cf2663d39406616732afc743e3b7
SHA512 b67ab1c4098b9e23a76bdd28ebdbaff3c589191a52292404e539c53d33ead53f1c5f5be9096aa948838d4bf16f31d8878996fd46789da5740c1c24869c64eaa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fb52ee19df480b2b31c8594f359bb4e
SHA1 16268be6796b3066ba92522e74050e699cbb3d38
SHA256 963b95a87ddbac115256412ac8c549a5b440119bc26a0ca9ed102d28fd51685d
SHA512 b953e446f6cece2a9ef81756853e1bfa0754e9ed671296271eeaac00ebad8f6e8c14f77ecb6e6f3bf37d161f4deb6e31fad58c13d8269ca79a49b5b81f7c7237

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 21:08

Reported

2024-11-17 21:10

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

115s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32Srv.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxA671.tmp C:\Windows\SysWOW64\rundll32Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\SysWOW64\rundll32Srv.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32Srv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4132794681" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4132794681" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144244" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4139357320" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144244" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438642700" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144244" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{21D8D324-A528-11EF-B9B6-FA9F886F8D04} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 4436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2632 wrote to memory of 4436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 2632 wrote to memory of 4436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32Srv.exe
PID 4436 wrote to memory of 5016 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4436 wrote to memory of 5016 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4436 wrote to memory of 5016 N/A C:\Windows\SysWOW64\rundll32Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 5016 wrote to memory of 4396 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5016 wrote to memory of 4396 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4396 wrote to memory of 2368 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4396 wrote to memory of 2368 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4396 wrote to memory of 2368 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea756acbe46b538a26b940881d51eb9b47478bb4be1855c60fac165d21354b8N.dll,#1

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Windows\SysWOW64\rundll32Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4396 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4436-3-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\rundll32Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/4436-4-0x0000000000560000-0x000000000056F000-memory.dmp

memory/4436-6-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5016-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5016-13-0x0000000000560000-0x0000000000561000-memory.dmp

memory/5016-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5016-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2632-17-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 67b3270e9ee2455fec6e20353842018a
SHA1 afb768285ecc4fad9cb171c6ec0247e54a645746
SHA256 a0e3067884f99355e97dd1979abe971940e233b6d8426ca2f9caedc7f5b25456
SHA512 605ae45158f81452bfe383b3a8ec2407ce9c1bcd0d5b1372d13c870569105c764b89abf0a184fa3779770dba24e69b503ba7825026fcfd24fda06cce3ac9f3c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a7c179c911fef44a5c7816810c2619f5
SHA1 3ef75c3e582ba371d748cac6e7f29041da2c89cf
SHA256 e78e6e5ca0dca5b24f93c19ad8e247f2674fe981ce17219c0166ec5985e645bc
SHA512 b4b04d3f95733a90e47e576462e1daac44300a5dd89776df8c2b055a293e586687d44b052454f2feba8f1b3214feb7fb063b41dfba4f45c5feebf9d53783c236

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee