ramnit | 5d116b5a00cd979a0c82bb49cf665025b87f0bc9f79eeb245b9bea1b34a29e84

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d116b5a00cd979a0c82bb49cf665025b87f0bc9f79eeb245b9bea1b34a29e84.dll
Size

500KB
MD5

b1ce222e4fbd2b1f60ff4c6d96144c00
SHA1

cff3c1bbcc6a66d75954419ec66db28e237b3248
SHA256

5d116b5a00cd979a0c82bb49cf665025b87f0bc9f79eeb245b9bea1b34a29e84
SHA512

2b6b4633ecec4f3e6c9dfd986c347fe586c5167d66d1dfa3fc687df4b803eaff4cc287bbccd7e0869e539286763c70101a968d7fbe5493a45c0164956fa6a9ca
SSDEEP

12288:Gh8fZLyb9PzVMBC/HVMOp4PkxHLCYwZckMQMNb4o+33:G8F+Pzr/Hfp4MIYwZckMQm0oM

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2240	rundll32mgr.exe
1672	WaterMark.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2240-139-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1672-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1672-148-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1672-149-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px81C7.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	2112	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "279700569"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "279543666"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001154"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001154"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "279700569"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001154"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "434231633"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "276731234"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001154"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001154"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3BD96ED7-7635-11ED-89AC-5ECC372795C7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "279387833"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001154"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377185627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3BDBCFC7-7635-11ED-89AC-5ECC372795C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "434231633"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001154"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001154"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "276731234"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe
1672	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
972	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
972	iexplore.exe
532	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
972	iexplore.exe
972	iexplore.exe
532	iexplore.exe
532	iexplore.exe
4504	IEXPLORE.EXE
4504	IEXPLORE.EXE
4284	IEXPLORE.EXE
4284	IEXPLORE.EXE
4504	IEXPLORE.EXE
4504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1900	4808	rundll32.exe	81
PID 4808 wrote to memory of 1900	4808	rundll32.exe	81
PID 4808 wrote to memory of 1900	4808	rundll32.exe	81
PID 1900 wrote to memory of 2240	1900	rundll32.exe	82
PID 1900 wrote to memory of 2240	1900	rundll32.exe	82
PID 1900 wrote to memory of 2240	1900	rundll32.exe	82
PID 2240 wrote to memory of 1672	2240	rundll32mgr.exe	83
PID 2240 wrote to memory of 1672	2240	rundll32mgr.exe	83
PID 2240 wrote to memory of 1672	2240	rundll32mgr.exe	83
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 2112	1672	WaterMark.exe	84
PID 1672 wrote to memory of 972	1672	WaterMark.exe	88
PID 1672 wrote to memory of 972	1672	WaterMark.exe	88
PID 1672 wrote to memory of 532	1672	WaterMark.exe	89
PID 1672 wrote to memory of 532	1672	WaterMark.exe	89
PID 972 wrote to memory of 4504	972	iexplore.exe	90
PID 972 wrote to memory of 4504	972	iexplore.exe	90
PID 972 wrote to memory of 4504	972	iexplore.exe	90
PID 532 wrote to memory of 4284	532	iexplore.exe	91
PID 532 wrote to memory of 4284	532	iexplore.exe	91
PID 532 wrote to memory of 4284	532	iexplore.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d116b5a00cd979a0c82bb49cf665025b87f0bc9f79eeb245b9bea1b34a29e84.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d116b5a00cd979a0c82bb49cf665025b87f0bc9f79eeb245b9bea1b34a29e84.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 204
        6⤵
        Program crash
        
        PID:4892
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:972
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2112 -ip 2112
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a62e66dbd157955d60808bf89987bcde

SHA1
a97e8478902ac7db7fd904300304944a41afee8e

SHA256
d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

SHA512
2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
38ae156d2fc155a6f3d20efc31a0a441

SHA1
eb10f2ca179ad44f1bd8c2edd94a2c7d8f5cdd3e

SHA256
1620825ba5403ca3dcaf16d36d8d3ba02082bfa540fd63c762fd6d1b7bfa9cae

SHA512
f93a5e210a7cd5efe1127fac71c68688d1ffe37d9e53c306a681a8f14e48420b89984a12e0d342110f2904d112d379894839bb6366efcc25015037520d68e841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3BD96ED7-7635-11ED-89AC-5ECC372795C7}.dat

Filesize
3KB

MD5
4b7e9f495140342abae493a54382193e

SHA1
4f9bf489feef5a89c0c6a92444048e84b16e73e4

SHA256
7d5b2a1fb7aba574ce39b40adc7861dfc52ff0b7e7db5a41ccd56f27c5d468a5

SHA512
c350d39797ebc8ebf1f8526c976eacaea7456e4aa4862d904c1eda7fc49063350e01e27033041f0db2f94943ee055cc236b1a2c6a85c07d2a2d5daf921b1753e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3BDBCFC7-7635-11ED-89AC-5ECC372795C7}.dat

Filesize
5KB

MD5
60aca47c3f3c80152e88b5df298fa6bf

SHA1
76868d84e3813a0a9be7f90c834b69856e64e965

SHA256
cdf9b588ccb6ccb07a7806dec02082fda76487787cfbfa9af40abf161be2697e

SHA512
3d3d942be1693322849daa52be31962e6dd06f46a803485740f0b0de684cd9a3744af6321fd2b0dc7a4c36013f764392b11d078e90f6be68e34087158ba989e5

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
65KB

MD5
a9ea94ee4a3bb43d4057823b2072dc54

SHA1
94ade3c34ec08613daba8a1240586c24f8169794

SHA256
7edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789

SHA512
0ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5

Download Submit
memory/1672-149-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-148-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1672-145-0x0000000000530000-0x0000000000551000-memory.dmp

Filesize
132KB

Download
memory/1900-136-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2240-141-0x0000000000640000-0x0000000000661000-memory.dmp

Filesize
132KB

Download
memory/2240-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download