ramnit | 385574a0da9b40e7d8bfd726ed733cc7c5ca0e5bf90ac13604106e3046b26878

Analysis

max time kernel
164s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 18:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e4a4a1258dc4f58792294ee3a1345c3.dll
Size

216KB
MD5

4e4a4a1258dc4f58792294ee3a1345c3
SHA1

6e77e85a5adc7180fbcfdce00bbdadc43b62a859
SHA256

385574a0da9b40e7d8bfd726ed733cc7c5ca0e5bf90ac13604106e3046b26878
SHA512

dc8962cd1d852ed98fd333ee7d64fb6769647d593e076ce0ede875b493867e187249fd46b4d9abb53b41484d6c6f3c5440efe120bf673eaa2fa41aff180d52f4
SSDEEP

3072:A0x7OzOBdr4BAzzid4V24q4gCj81llmaEeFB:r7O6zMBAzfxqo81ZZFB

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
5072	rundll32mgr.exe
3776	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5072-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3776-28-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3776-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3776-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5072-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5072-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5072-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5072-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/5072-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3776-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3776-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxC0C0.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3740	2880	WerFault.exe	40
2884	1344	WerFault.exe	16

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081258"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081258"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2482434957"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2487435226"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081258"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2487904435"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF4F6D67-AF1D-11EE-9A4E-76CF25FE979C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081258"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2482434957"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081258"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2485092432"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF484730-AF1D-11EE-9A4E-76CF25FE979C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2487435226"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411590258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2487904435"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2485092432"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe
3776	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4828	iexplore.exe
2484	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4828	iexplore.exe
2484	iexplore.exe
4828	iexplore.exe
2484	iexplore.exe
4236	IEXPLORE.EXE
4236	IEXPLORE.EXE
3616	IEXPLORE.EXE
3616	IEXPLORE.EXE
3616	IEXPLORE.EXE
3616	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5072	rundll32mgr.exe
3776	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1344	3992	rundll32.exe	16
PID 3992 wrote to memory of 1344	3992	rundll32.exe	16
PID 3992 wrote to memory of 1344	3992	rundll32.exe	16
PID 1344 wrote to memory of 5072	1344	rundll32.exe	35
PID 1344 wrote to memory of 5072	1344	rundll32.exe	35
PID 1344 wrote to memory of 5072	1344	rundll32.exe	35
PID 5072 wrote to memory of 3776	5072	rundll32mgr.exe	37
PID 5072 wrote to memory of 3776	5072	rundll32mgr.exe	37
PID 5072 wrote to memory of 3776	5072	rundll32mgr.exe	37
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 2880	3776	WaterMark.exe	40
PID 3776 wrote to memory of 4828	3776	WaterMark.exe	100
PID 3776 wrote to memory of 4828	3776	WaterMark.exe	100
PID 3776 wrote to memory of 2484	3776	WaterMark.exe	101
PID 3776 wrote to memory of 2484	3776	WaterMark.exe	101
PID 4828 wrote to memory of 3616	4828	iexplore.exe	103
PID 4828 wrote to memory of 3616	4828	iexplore.exe	103
PID 4828 wrote to memory of 3616	4828	iexplore.exe	103
PID 2484 wrote to memory of 4236	2484	iexplore.exe	102
PID 2484 wrote to memory of 4236	2484	iexplore.exe	102
PID 2484 wrote to memory of 4236	2484	iexplore.exe	102

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e4a4a1258dc4f58792294ee3a1345c3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e4a4a1258dc4f58792294ee3a1345c3.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 212
        6⤵
        Program crash
        
        PID:3740
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4828 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 608
    3⤵
    - Program crash
    PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1344 -ip 1344
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2880 -ip 2880
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
139KB

MD5
03f2a314cd1c598c38a1de2663e1aebb

SHA1
aff058f29943df223cc418ed6544ab0f176e5762

SHA256
64ff2387190101102b4f140065c12780ea9ad822a1c05444a552164cc30a3392

SHA512
950368f5a8eacdee919ca7d2c93c1939f9fc120602fd7347e16ae6a67e382cec7b2525adc652ac2ce39e08a614437248d1ff83d44171075ce8333016bf45ae45

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
84KB

MD5
46139de8cdf74879f4c6b4b9d06e827e

SHA1
644ac8dc170a53b155312baa91e2ef019f1fac93

SHA256
7b2c915d3a5e4f934086cf2ada976ed8f2033be5ac61bc712b6bcac179482e5b

SHA512
11acb29aabb28e4fe5300df223e2ae4e1c36d0cc6220492e67e18eb8e1b793e631610a30d5f1208800435f2efffbd78a119e834f7ae78786a2e4d18e74bf2253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BF484730-AF1D-11EE-9A4E-76CF25FE979C}.dat

Filesize
5KB

MD5
bbc059431a8dc4eb105b2d967960fc12

SHA1
fedb2db6fe6f5f5e4ca6b89622d0a6653b0ddda2

SHA256
57c55b4d0a50d7aa0e7531413c6db4ce359f45a6a42dfd755c9cd1297bca92f0

SHA512
6d9ce10a3b4c2bfcba5222b41fb79001c3107f0e5e9d574197ce11e1cd5c8123c05dcb80a50d50c03a902c3f02a20f81685654e7ebcda2d4190eabde48ae5ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BF4F6D67-AF1D-11EE-9A4E-76CF25FE979C}.dat

Filesize
5KB

MD5
c8ab7905912bfc028662ad4e21478e9c

SHA1
52c40ad3573b049394162b3e58b415b351fa263d

SHA256
184fbd6d520fa09d2ab1c7da6c7c5b4e14c5d0ce0d753395fbc8f0b0ef698c45

SHA512
ac0842aedc1eb80a94f63adaea65b9eb24ec1cba904333896657dda9370336a1efa1335a0f531a2f76275ebe4793efce87b2570d1e5b12b6ae1002d97ebfb234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4745.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AXLYU2E\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/1344-35-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1344-1-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2880-34-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2880-33-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3776-36-0x00000000771C2000-0x00000000771C3000-memory.dmp

Filesize
4KB

Download
memory/3776-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3776-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3776-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3776-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3776-31-0x00000000771C2000-0x00000000771C3000-memory.dmp

Filesize
4KB

Download
memory/3776-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3776-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3776-37-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5072-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5072-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5072-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5072-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5072-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5072-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5072-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5072-10-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/5072-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download