ramnit | 83a1e2fd5bce52966a9d048cb2631d9b5d81b3ea94c7e07a35a3cbe1d0e066ed

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
Size

136KB
MD5

f4fe381c819e039f7c2a6c21011b5f8f
SHA1

bb5b00b26960925c0d27569a085fda5b8ae13b55
SHA256

83a1e2fd5bce52966a9d048cb2631d9b5d81b3ea94c7e07a35a3cbe1d0e066ed
SHA512

9e64cd2a6fe57d1f529085e90b8842e59dec7528615ef1fd5b9d182a2f69db3222b10d17cba3e4734eb15043f53fcbc2abb0e858dc1c11b3cd0b61fbce541dac
SSDEEP

3072:awV4OgSzBmh04eZFkz3Rr0gwGj9Tf895bxpd4v:aMzzILGFkzhr0pGj9o959

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2380-4-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2380-2-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2380-6-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/2380-9-0x0000000000400000-0x0000000000478000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51356BD1-BB09-11EF-854E-7ED3796B1EC0} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51330A71-BB09-11EF-854E-7ED3796B1EC0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440445284"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1372	iexplore.exe
2324	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1372	iexplore.exe
1372	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1372	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1372	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1372	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	31
PID 2380 wrote to memory of 1372	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2324	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2324	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2324	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2324	2380	f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe	32
PID 1372 wrote to memory of 2252	1372	iexplore.exe	33
PID 1372 wrote to memory of 2252	1372	iexplore.exe	33
PID 1372 wrote to memory of 2252	1372	iexplore.exe	33
PID 1372 wrote to memory of 2252	1372	iexplore.exe	33
PID 2324 wrote to memory of 2704	2324	iexplore.exe	34
PID 2324 wrote to memory of 2704	2324	iexplore.exe	34
PID 2324 wrote to memory of 2704	2324	iexplore.exe	34
PID 2324 wrote to memory of 2704	2324	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4fe381c819e039f7c2a6c21011b5f8f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2252
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2dd6ea2a61d4f3daf2bab36647f33d4

SHA1
ec4ea25166d06787861f68a6ea4f7499f9935c75

SHA256
fbf5192c6fe0086ecd46949d9a235aaa3d65a8fa24eb041398d354b782e7c1a3

SHA512
5dc24e7f0e337ba0ce8ffd29850c9eac9cd21ec83be6006bd7fbead3d3457956c16d3732024f0f8dcf2c038f97c2f70dba10cb8e9bf5a28e02c928e80b362ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab107c0f8a27ee0dca58400ee462871a

SHA1
6410eaf5277e50110e0319ac6c22dd2c60a39905

SHA256
e719778c1830129f4d90efd5d525c785fcb410058ecdf5d71cf5e426677394d8

SHA512
1f4684195506be311af760eab3048acada1d3e4c8ca08e173c498f02b827d70c9a5168b1efc1fca460a90af021bbdf48655bcc7e9537ef668f8941912044a1a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9f42e317b845dd4acf834fe8a3aec02

SHA1
82b3472acb0f1558c01e624f548667cc58102ea2

SHA256
b72bfb93fbfff7d3f4e3c0ffbe531c1476667d4f04cb52021fe2fdacc41cf60b

SHA512
e0fbb8887c9a719b7e748dc7c3ee6c9354b7ba1f76b674bb7f3648c7c1cf6678bfa6179b36e74acf67c2d1936310826fcfebd7d0934d1641e94a2d9cc418b073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f56095a179e645405aaac8bb085f20fd

SHA1
6010be2020f220e4e04d0af31d237896f8cd0c81

SHA256
a2f745cbd7d5d614df6fbe4f05e0bb3ad0cd48e66340b0ef2ca7ffe2b79b2be5

SHA512
f04325e1f29d74b6f3f1daf4c2f7d235a8b77314d8d992f82d080876ce7707308f4358c56a43d241b2c193c1d74219d79b8ba39a939afefb4ceeb631cf13800d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82dc2044e1915c022ef44f19960f9a25

SHA1
9f4bc6ceb6e00f86553e6862afda284e85c2f620

SHA256
7ca3c61d57260d349d0cf38dbb2c2b5271e70181eda353bbd313655125ec7fbe

SHA512
db497530ee8ddb96875f21b60f4f1ac6d4690f98fa45cc763e4c4d9af9e8b030a3f5df5f1853091a0f8d8d4300cd38f18fef7ec994b9624a2294079e213619c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c78cac42d52245ae709cfbd41cac31

SHA1
d5b3de0467be1f7564d7e30d505cb22244a89f06

SHA256
068d7ff70dc4d1a43cb93f07b90530001c81d8b4b4c7aaa511d4e31dbabf6f26

SHA512
47bcfb0f6b67690b45c6aedb8fdcce2271c5993ec603607bede651af5d5c41452e9d72f73e78d38d0f61269a0b312ec5240e8cf80e56eebd4ab6809501564071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24a5c05a251bf342ff18764a1957a174

SHA1
0421ae87e91a25c1be4c59dea167111e430419f1

SHA256
ba70b26a08594d52d7381537f9004b8543b8615c6cdd5949c0b294578bac309c

SHA512
b4c05e893774da4e81881f0e7da547b1e741b63fc61dd10d7708036339ce9bc3e3d5cfc441670276420dba76905f9028b9f4ab9c774c389fd64b0e0ea0e00b3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
740c22f20dd2e2f28c21370bd0e7a724

SHA1
9338974ebcc89a2f77ba2ef2412441563872b3e5

SHA256
f0ba6f74d4d526cc55b8cdf58b4ba5d9563a7959464043842d17b9b70d30da3e

SHA512
2975f1f65d802df6b85c838afc381e3f1e4271c0932f9fc7da1007e3fef253e38e62c22026dcbbc9d3eae0f2d9cd71434c108dc2755e7c910007d0cb49e2209f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd4fbf2e8b0d42db0c6bdd6097d34c31

SHA1
b11b3e1f2ffd55afd465cbeefc24c42cd2a5d8a5

SHA256
fdd2c0117e88e3ffb5c783f81c36d369169feb12a4cd71e3bedcf72235fc92a5

SHA512
98338a89bece65aaa3e9a8eacb748a5f33772d8bdbdb38c80686833bab3d765c6c7fe7e4faa70ab0da4df6e0e7e929bcc4ef5aada4676976ece61c1ad4181caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b135ac305a38fb02d60dad31f6d4a9a7

SHA1
371b734c66ff1c9fa65200987af7752b4be0c4b1

SHA256
cc4038c940f0a2e6cd817c5bbf59a1cd28c544de1ab25141db914d97cd00706f

SHA512
12c3cb33f8aad08b1975329bb8b233a3d31093529d5d1465a66e07b910d66b8a1ef3d69033e5c4f08c4caa7c8b187bfedf01b017c05336775fabc2f005928538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e40fbb7025be14cb340412d16ef942f

SHA1
1eb663500d98de20c405f1fa5314cdf9d173d491

SHA256
cf4062d7e314058ac96c02bd6b9fc5993678c75ac809f872e63a49cf9b704f63

SHA512
59c2378f5db19990a92261bc6374dee00f90f190de5e93604e3f92b42d1b8e771944c99590a82f7482d4ce24c566e7b5a336e51431cc1cc01c576337ef63b248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aba484ca98696544b79181c518246f4c

SHA1
f8bc99cd4e67d105eacea3253e103d9950ee667f

SHA256
1e0c5c54935e360de0d5221bbef59d5b01159214d5f0f2ec02096d6c2c2aa0d7

SHA512
d6e2259edc234c476dc6843ac952e22338779c4247969f41b895b3b3b372784bd407c8e8e96cffffb1644a05a453ff30112341d8ee7232963a50e3fe05181c86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b980dcc0a9bb69e33989bebcd80128af

SHA1
329c05baafaa1cb45d2457ccdb670bb0d762e4d6

SHA256
f0a82f6948492f012cf0c1665390562fbf48f483ffd44071783f01a3b52cf51e

SHA512
05685d5d447665e033bcf43824db703a81d56050fc4c459d5a2a616364a078b16442af56830c272ae9cb204d904994d51749613f8376cf3a8c57a46187d3657d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b685928eb9ba9f5cc6e047f3c918d84d

SHA1
f32a0658d9c4c1d97d3d265879692be0662c21a2

SHA256
a2a2305319b407ba8e114e0003390505f3dc31167a6fc60c910d75028d4b76e3

SHA512
c161e730c82052f1415c5df85c9c25769ce7c468dd70a08c053522b897b8913d0e0b873a3909476a07a575c9aaf2659dcae7634752c79f622592b209f21e4f15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7e04cad3e150c9d66d900429e870b95

SHA1
305d2b4f2a8be0f2e8bcebd8a2f0ba298565e362

SHA256
c1290d1b0e256ed42eda4019e21585b258bff698d3bb6838f631442d7a5bb6da

SHA512
571a2251b3c773e8acc5b31c25dda33e4507c2a5b48fe0aaf9c6f8b20207097c7474ebeadd08b400f7df5506b9fb17dd32dc2881059d80a3586ba08bb960eb93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21a9ce551fdea24d404eb43b51976aa5

SHA1
f6438b6f0ebcae4ebd026ac795dd041df426656a

SHA256
515dcd241dc36b0b4f3cf5c0471419ae3ee43c8b02a1e1d0334592d8e0427429

SHA512
16421bf948766207d1616df689cf09f2d4ccf358c6cba5ee7601fa1fe897b7c267b34f3946177951791fca27e7762c1d8894fbacb8800efb10bb9d9eb932abb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f28b7edcf2e7a14f96a2e2e31d92647

SHA1
73f6dc40780f036ec3ade7fe9db5ff7ef21edc3f

SHA256
9976c9ff461f068feffbbf50d0f1110d15dc1f8b75cb071956ba3c625f64e8c8

SHA512
5b3bce3242cbbfd20f2ed0e73eeebf3b16b4a2583f4ea8962e789fd5ca4c1c3b0fa06767ea50856acafbda17d153103c06b41c5555db887543745801705bfc8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{51330A71-BB09-11EF-854E-7ED3796B1EC0}.dat

Filesize
5KB

MD5
3ef682384523a51c6cdd9dc93058c381

SHA1
3e15be3bd1ebddb7de91e191296bb29176c36434

SHA256
4e2d3789abb32e1242cbbd5490a5bfcbe487738dbfa815a718dad2b60d3e4b28

SHA512
7ebbb1d6aea237c35e8172f8c9776cdd06c4d31276ff5f8f7035b114a99ba839c2f06377d1470b7a3376a6a98c254e460189f946d38f742ee2596ec702e944cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{51356BD1-BB09-11EF-854E-7ED3796B1EC0}.dat

Filesize
4KB

MD5
fc194103374c529cecc60510ed29fd33

SHA1
084a280e7549147a54d360219a34526fdcc5f57e

SHA256
041779eb2cec8cd4ad5dd267ffd0a6d451afae03adbe0fbf4483efef45bfab0e

SHA512
ec3956754f1c61b95731559ccc2208f501c7a49811ec6bdc41c2baca7a09f4365a95e7df8354f84c58dfb7c6302371103d6e766795618d119dc76e9220303e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF598.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF79E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2380-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2380-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2380-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2380-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2380-5-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2380-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2380-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download