Malware Analysis Report

2024-12-07 02:15

Sample ID 241118-b3qneawakm
Target d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe
SHA256 d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d

Threat Level: Known bad

The file d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Ramnit family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 01:40

Reported

2024-11-18 01:42

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px9C30.tmp C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438055924" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27C12C11-A54E-11EF-B2BA-D686196AC2C0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 1700 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 1700 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 1700 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 1244 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1244 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1244 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1244 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1744 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1744 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1744 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1744 wrote to memory of 1916 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1916 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1916 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe

"C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe"

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1700-1-0x0000000000400000-0x0000000000570000-memory.dmp

\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1244-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1700-6-0x0000000000160000-0x000000000018E000-memory.dmp

memory/1244-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1244-10-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1744-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1744-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1744-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1744-22-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1700-23-0x0000000000160000-0x000000000018E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBCFC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBDAA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d29fe65c95b2d78437314aac26464d44
SHA1 4b134dd246b1b519b3aa3b81a37faeacf724d4a0
SHA256 8e7e292e9cd7190615d10eb6bbd1391667eac8df1aeabe026c659bdbbbb79037
SHA512 58ea6c7657f0e7e6e35adf9c6575bcc3aa65572500f63f4001d0d5703897a0edbe1ab604ff907f090dbfe4f40647135853dee0a155c7fceca12419f7ef20dbc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b9bfc8799bee509027b1a41bb55f91f
SHA1 26d7b02e254413b990065e794937278c1b38cf6b
SHA256 2f2f8dad532d84d73d395d7899ff53ec3ecece23f2deedd89755a7df6d1b60ba
SHA512 e48f5e5ec6fd80973896685adc1b1a45e86cc8fb408dd8168407d09d6546dc231b138abba14f95a9cf05a4d846893ed2ccf023365ee5b0127ed46fc53db76772

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17b2a3f1ab069cccb54ee5fc815e293e
SHA1 9ac69cc5d0e87e74f82365124d951e517d90d407
SHA256 8aef8947febda0c31aa04c1a938ff6c806e5053f922bb6c21659c0704fbdd4da
SHA512 5c6529b8b0a631469df24f84c41037b37109a0822f28a119a3fb616a59435b7dce6df74b7e78216146d294d95fe41a2566a537a72f45c8e3e4a06e8f0ffde77e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8960b8fcd4ca09dfc135f687d5c1a980
SHA1 c780178e3c43ed9bd4ac8516c1ac73434fe3a9c1
SHA256 c9a0cb1206debb825fac42ba2e72b245e3fe8c3eb1d81ccdc3b938033e9c3b19
SHA512 446bd388a61662467b3d958a7f4776ebac8b521d3941c442886e571d61d23b7d1179f597d3d750ab014f9f8920cf9ccd4dcc9046f9d5caf41c40ef0f5832495e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4db4feda299399e53c468211f4491582
SHA1 ac660314a92bdd02c2c07083be62c1d4b68f0e27
SHA256 819956becfd418a7f96ff78525af6c681a1e90fc79f26ab306e7b2a80699ce2a
SHA512 799ae3aa1266794eaacdd2a9455d33eff1b052f2eceb26f922f4b4f7d6a78bccff4fa9053c6ba72447f6bb19fcf182f385a0a15514fc896cb4555ef45aff6237

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 964f48bce5d6e4e7b3ebd710fa3f3a03
SHA1 72709e792305f0e3a265485a204dec3cabbe987d
SHA256 da1cdb4863c931d86d6909cc1315e20dbd3777e4b264686cd7f8b47656a3c775
SHA512 3b0be48070aa3af46af9c20f2d2a1daee5ba857cc45be89e06f19ea02b6346d56e9ab0af2144401f9e255cc14a490c960e1e6e93e523fbcad2a26ffd376e2686

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f437193a2b7e70c845eb0a3a06ac96
SHA1 cb8647f0bcf79b4c809fcc22db8d5facb87dc574
SHA256 d3a5b7faf389b9fd69fb1cf8139ee81db12e2c95da6bc8eb47b71e3819743298
SHA512 eac8b4f20252c5d706e08455a12186df787a763eea9da0f3a8309bab2af20205319c24e015a3b09fd1cd23ef1649df23345e744b9721d11446bd7bc9e08c64e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 978626c3c61f4f897e00810a256b06f3
SHA1 ae3e5a0a441f2528a8b2e589dc7fb08baf5f70f5
SHA256 09aeeed0b4a3206856d60b007b484e8fb455d002325ca12ed0fb57ab232e121b
SHA512 a99d6bf3aa672cde5c620c2de94e92bf8386f8299c07b5637f4f685c8072e61f0c95e9e5a4f78a17c6672d0f7d8fbbd9d7bb000e72fe949a653c489b1c22c440

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f80092806a58621fc349fbd97714bb84
SHA1 1a2a3327b75e940b81c4c67f1fa9b818f7e6f58d
SHA256 3689e969866766cb653f604310ee6ef7821fefbf35b91437b2c1968ac6fbd666
SHA512 b0b9b1edceaa7de4a1d84c949fc639f55ee8ef53b52ecafd15356262cc67c9d46926a647daed0664c668b4649b3a4cdf63064fc5670e953995f45618fcd50bfe

memory/1700-452-0x0000000000400000-0x0000000000570000-memory.dmp

memory/1700-453-0x0000000000160000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe017ed4309f70a329bcf90841ff5fb5
SHA1 90b0baadc5a86ea8e2fd659ad5f1faa5f21f9120
SHA256 a371a203847c9888dafb196399b3f28bff4684fbb17afb695851aba4512f7788
SHA512 be22830a2dcce439ff5e3128c980090a177380a4e4dc2322ce307b3ee1e7e9cf6f5df361d73faf64b0fb3ca0bcf9eb510e0acf10634725c343e84a9f6b30ccc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9713174b75be1e3af41327e221549cca
SHA1 54c4cf3a78f489fbbf717310b3772b397ba4847b
SHA256 b8888f3b1d71221de86a41a100ad25356e93e36d566e58ddaccfaf955ba2acaf
SHA512 63a27cfe1d7a4e75b0dd25c823456b41f19cc439fd85dfdc6a573cce84b6d646cd092caa7bff2b74ea250d86ac6cdceb81fb83d17d1891d2203e12f1b650888d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d0e731c75fd416fb3bce4996b4d6f4a
SHA1 794c9719e0eaa3b02b3c237e875b085f6a4ffd70
SHA256 3ffdfec50d9e0b3e63aac89c8e81c3c44402e2a13f79e51498ffa4c6681201e7
SHA512 94c359f03cf2dc49b3bcc2982ab646e8172f61b52acfc99972c7945c639b98195a6c2ee00d307b886b0ec0c5b5940e5ca6651468ae15de217bd6b94f854bd572

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76e2bf775dda6ee625ae7e82b645d399
SHA1 cb624d286de5b98ecce71438851ba5cd208dc3b8
SHA256 f8a10461aa27ac18f6f266ce34c86f146f1176385bdcde17e4681a300edcaaf2
SHA512 375ea16416157b1a9dd113bff85af7abc0db145cf93582936fd9a751b2ba1c55322952df7cf74676ac4a20f708f847df68ffad003eee78e50e2c068c3c9f13b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08407ce80ab0ad1496ccf2ba35991bdb
SHA1 b648947ca2d6df2bcfd431cba88af162843109e1
SHA256 e19e488ad77b141192e860ee2f501c04841a47d4159f11c2e0086c99bc625edd
SHA512 c38502d6a5626a4545ff9f92096c49a39c20c741683d298b4b40880b3ba3a382440a989b2725c0bd3ac02868e28c1b9f13bceced17566c9d95815abbde15c85f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70868afe90123f4ab857c18d451fa719
SHA1 5bd7d6ffd518c22f59d4709869944197bfd90450
SHA256 95cb314664e76bdbc5044637e0e3d2eab44738c4fefb296246b7be310df1aca5
SHA512 d7007c6bd2786e7141be9fc7363428bec272a9109a2aebf7c1e11810127cac2746c6b6c9d594ff34315a4543a92798139782b0b687acafa070584257572787ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31c7bf273f13a355e2aa75766fb386a3
SHA1 2c495a2a9eb2279ff76009eccc224a4e08312992
SHA256 3c16a96fe39673cbc629b52487a41b8419984ea227366962d1342617556a0cdc
SHA512 91974a2581b9c4c6059114d2aece22b511182faf341e4c5b521dbaa5a068e10e5927ae85b30dc7a158d4f5806e682f8d4c3ff5d01e0cd05a7089a6ac3d9f408e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e97d071b6edb8c20393760200b72f247
SHA1 0ff2ab18d1baa16829f4f68d2f280339df0adb98
SHA256 36241e99c3a7f60c9b47aa0f992b7ff06eacd4c4903a96a3adbc7a99f7b7f7e2
SHA512 7edaf2abe85ce2ffea8db7defa6636e51fdac1dbc0619a5032e43505f252863992514e0950e2260550fc40d9ecc21d73eaba43c3f8b9bd6c3ccb3b49d5ce8b18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49f45fe80c7bc5c66d622a50f0859fac
SHA1 01861f52195e645db063e78bb776a32b60c15b12
SHA256 24d5cd448756defeee58d04fa1760f4de99d2bcab2e933f2ee34e6028f458983
SHA512 6664f328e2e758ad83347d5e92bd5730a98db7846fb9c033ffc28b2b3a3d54ccdc1da7356ae502df4ff57d6e31b042d68fdefd61eba32d4ba5f373dc48fc1d06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aab3e2070876539a0f37c4bb902db5b3
SHA1 fbf7d8efa0c0c5cc1a9f8c177c01a93322601e6f
SHA256 4122e0cf86a3136ac203ba47cd56baf7c9b94bfee968a64a217e8112bf4b8f02
SHA512 edbccfa0daf1dca001fa42565520a9fb4bed1506e0f45cd90f02ddea848c934ea55efb7492a8f145f1dfb000a87734c49de00dd881e2e704f6f3015d0b76ca8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 01:40

Reported

2024-11-18 01:42

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxB083.tmp C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144282" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4144668362" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144282" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4148262014" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438659022" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4144668362" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2292C469-A54E-11EF-B9B6-FA89EA07D49F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144282" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 864 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 864 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe
PID 3260 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3260 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3260 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 632 wrote to memory of 2796 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 632 wrote to memory of 2796 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 5016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 5016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 5016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe

"C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33d.exe"

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/864-0-0x0000000000400000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d2be74b100d5c0f3f7f44759b136125c1fb5b90de739e1eaf4420822a5aaa33dSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3260-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3260-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3260-6-0x0000000000590000-0x000000000059F000-memory.dmp

memory/632-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/632-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/632-15-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/632-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/632-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/864-19-0x0000000000400000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 67b3270e9ee2455fec6e20353842018a
SHA1 afb768285ecc4fad9cb171c6ec0247e54a645746
SHA256 a0e3067884f99355e97dd1979abe971940e233b6d8426ca2f9caedc7f5b25456
SHA512 605ae45158f81452bfe383b3a8ec2407ce9c1bcd0d5b1372d13c870569105c764b89abf0a184fa3779770dba24e69b503ba7825026fcfd24fda06cce3ac9f3c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 30238bc436124bf6ec61df08152dbf7d
SHA1 1c83a737e2fff04ed5282dc31242619d0e19aa4a
SHA256 56e27bce5f0c08a8255d16200fe8d55e560ec841cb0ec650de0250584128a863
SHA512 f2515de1256b4a0e025e85ba3cc338a9cf22373fcd32dcd8ca51647bc5304f8f0ada9cb65b56e5d903453fa3a32b0ffcc39b29d222f089c069ae844b772b624e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee