ramnit | 0f14252aa4405954d45e4848dd68be218e67fc66ac7e2f833fce8f20b34dcaa5

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ba847a6abe88d2de84696ff36105dd0.dll
Size

266KB
MD5

4ba847a6abe88d2de84696ff36105dd0
SHA1

08c50f7fa556edb73e12751bf46fcb165451cdf6
SHA256

0f14252aa4405954d45e4848dd68be218e67fc66ac7e2f833fce8f20b34dcaa5
SHA512

6bbe18cce4d4059e22bb567b79c494688182782dfa73d3053922f0351bfd0ca274c2edf1d8b2954bce5fe17e8ee683ca33ca031e5e48ac8ac9093b1cc4b7dfcd
SSDEEP

3072:fHIbZrZeazcZgbAr0uiND880HlTJT5I0tdQu7Pd8Y2Lyp0lFmy/p/yr9rn10Dfww:7aGgcJipRuQQppQFmgY+4aQ1kmIW

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2352	regsvr32Srv.exe
2628	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	regsvr32.exe
2352	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000b00000001225f-6.dat	upx
behavioral1/memory/2352-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2628-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2628-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxD4DC.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441877047"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E68F96D1-C80E-11EF-B961-D22B03723C32} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver\ = "CUIDriver Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\ProgID\ = "igfxdev.CUIDriver.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_4ba847a6abe88d2de84696ff36105dd0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver\CurVer\ = "igfxdev.CUIDriver.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\ = "CUIDriver Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver.1\CLSID\ = "{9CEE304E-DC6C-11D2-B561-00A0C92E6848}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver\CLSID\ = "{9CEE304E-DC6C-11D2-B561-00A0C92E6848}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\VersionIndependentProgID\ = "igfxdev.CUIDrover"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\ = "igfxdev 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_4ba847a6abe88d2de84696ff36105dd0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver.1\ = "CUIDriver Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB74AF42-DC70-11D2-B561-00A0C92E6848}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\igfxdev.CUIDriver	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CEE304E-DC6C-11D2-B561-00A0C92E6848}\ProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2628	DesktopLayer.exe
2628	DesktopLayer.exe
2628	DesktopLayer.exe
2628	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 2320 wrote to memory of 1788	2320	regsvr32.exe	31
PID 1788 wrote to memory of 2352	1788	regsvr32.exe	32
PID 1788 wrote to memory of 2352	1788	regsvr32.exe	32
PID 1788 wrote to memory of 2352	1788	regsvr32.exe	32
PID 1788 wrote to memory of 2352	1788	regsvr32.exe	32
PID 2352 wrote to memory of 2628	2352	regsvr32Srv.exe	33
PID 2352 wrote to memory of 2628	2352	regsvr32Srv.exe	33
PID 2352 wrote to memory of 2628	2352	regsvr32Srv.exe	33
PID 2352 wrote to memory of 2628	2352	regsvr32Srv.exe	33
PID 2628 wrote to memory of 2636	2628	DesktopLayer.exe	34
PID 2628 wrote to memory of 2636	2628	DesktopLayer.exe	34
PID 2628 wrote to memory of 2636	2628	DesktopLayer.exe	34
PID 2628 wrote to memory of 2636	2628	DesktopLayer.exe	34
PID 2636 wrote to memory of 2792	2636	iexplore.exe	35
PID 2636 wrote to memory of 2792	2636	iexplore.exe	35
PID 2636 wrote to memory of 2792	2636	iexplore.exe	35
PID 2636 wrote to memory of 2792	2636	iexplore.exe	35

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba847a6abe88d2de84696ff36105dd0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ba847a6abe88d2de84696ff36105dd0.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1424b95ae6848efe9a91dca4cd7d87a0

SHA1
687cb547c21b2bf0ee65e9a0f1e34cc6a366cd2d

SHA256
0e73f4de60a07453ad6d0b0fc0e673fa33abfc94b9000fcb5b1fb4e146fb0778

SHA512
0f81e08f3b6f0009f94b1f1dd111df0caea1e99c64a9529ede0cb56a7390e7713e419201b676eaf5f913e51e5131dbf2d1bdf85ce53372dbcaffedd8d16aabe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61617d9fe13a0cd091f2dab9f0bc8901

SHA1
7d2847c93b1dcc6dfe50af5efd83ab61040c5324

SHA256
ea508dd1d9f1a24f8d63aac02a686f9f2f00b59776668623b6d314417fc326b4

SHA512
8f334d2f7dffa7763fe0e2bf4822fe1511b000c9d14baa7fbfb4af8b45387b95b3e192ed77c1fa5c88c1ac173ee342d13669c625edd10fa1a22d1be7198a1a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3433b041a345359e2921526e50f7fe71

SHA1
d4c4725bb1bf45496ce13eed3668051bcd57bef9

SHA256
790679aa9f10be584f38d33dc09fbf9a9186d4ac9be18292bb955d6cfefc32ae

SHA512
e5a2ed9b42332e5840102a65f99224886c9e2cf0a34dee353d17f47d15def40c068561ea0de92dfed13ed64d2658af3a64290a578b8c4440ec8b0d8df26f2866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8d2df72fedc5e64161e2f7029b38995

SHA1
cc356ffb591c91efc7824c1b2b2ea078bd0a366d

SHA256
b33a25d76f2af9971980e6fa9ead51e00f3b630c78c657cef26e40a4d13b41c4

SHA512
be06c6d9cb7f8fe7e3f9e2444f922da91192ae8dcb36cd51afbbcf84bb0825ab99bdf9d28dd69b36eae71b8286ec9b55b45383fcde060d791d45d4599fb50ea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4727cc0248102579c88f12d7a24fcda

SHA1
26a6de395a1135136acfd9691d85a7615588bf7a

SHA256
49c07c33d0eeee4abb5ec84e05e75eb0da7ce972b807a51151999601f5c3125c

SHA512
47eae544029f3cc313fa760f30b2d12533ddda7a1769bcf09de1624e64a60c35265aa8be0898bac3852308741033a10eb3b1a8989984af846facc23e7fba4916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0306ddb2d29e726b2331d00751d9b26d

SHA1
353915c6e4e5008cd2997fb9cfae62df22baefe9

SHA256
d1840322bcffdc1649685b74dea69619d8eb4187270df1d508fc6f14ca8bcd56

SHA512
bd2609c1e649676068717efaa455fb554ae025a87b3af305c18c04294b54b966dc22523d6652ba20b53e28f7d94cbd4de11011f8f5e58dadeeb45502570e26bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79978dd12bc5c5e486b8a69e3a4bf994

SHA1
b53c737409ed5cde8f10e91cb574b495b3a0ee3c

SHA256
48a84faabbc858a7d8c278796ffc8a7275d7eef9a0d9888155d57b41170b53ef

SHA512
4e7b01981f9cdf536b0b5b2cc4433abc00b6a43c81d7b861fff31725bbb17acd9e286be1d33a91762a8876b2917d10e4c3ed944b995fb77d19954475099308ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34e3de02234c43518f6f7895a42e8970

SHA1
53a5c14e03b4167804d08932d954e1eb9672d3d5

SHA256
18bdcce283c4808757207f15e214793b64ee068dee088f68da257f18e6ee5b3a

SHA512
a4973f85d55daaa47a88f72bbf1d1e0274a7e77aa67096ceac8cd1a513e86fe4ccb2d06ec9010e7c055b6ca84270306476122220c77e064f881db4f68e9e6989

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0662b9f5b2416fe24de9419a9290ceb1

SHA1
a4c1375d8e051f997f3d637c6937a552b0e9e52f

SHA256
c71357c363bb128690b11218de90deb815ab4a24d4e46f9d2973ba2bd95e24a0

SHA512
ea677b88d0facb17cca58ad5d23a874a93526564e8d5b0653216112754380ff57b779b79516be127370822784009fb4e2d5cad03bc4d617187353ed52b1e3498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f224d140e36276535b744ce9090d68f8

SHA1
1c981dc9d32cad501118a04bcf3c1ff3b49c0ec9

SHA256
e7526dcfe818eeb31ced186ec8b9beb09011eb3e70c40c4318bd9071c8310157

SHA512
a178a7784a3bce0bb64733d13c9d11b1b776d2d2c9ac75a83d977ebc0a8307850b0ff0fbe6eb25ce520b4ca1e387b26356c27014560b2d804471a3f63c99cc52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6b587bf97f9cdbb36cca5afc8f4b302

SHA1
7edeef33aff27f762a754568a6d6ea100810d1b4

SHA256
822b5cabd8c01ff282739c95cce46764797978b6ba56100aad90a0adb5e9dccf

SHA512
44224050628c7e02ccd5c994e122baa251ad13dfcd8b1f76b902d9d5222238fbaaf09a636dc6016a88785a3aad3e2565f55eee4f4bc7bef1dafa955c3d604157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca2bbf9085e6e3c214d624e07ca92901

SHA1
b2605303cd6430d758ca2a6a63d4ae45475aa6ae

SHA256
3998666853d48c73607f41b2d5d929b7a0b515ff973c47d890c532fa7addbbb6

SHA512
fca6bdf9321278bc17d20757f4e9ca9765250cda282591c6e2015b8e5d8c921706d234df268f34803d7230008acab71ec55a7757d8df9d3e559e92d8b1a03c78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cc55b54f60b525e8e99ff0c4abdccd8

SHA1
437ea58a4c7ea3ea352ed288dfbe328187d4b76d

SHA256
c63aa095d99fc60e058354c79894471dec681348c8dc42eeead08881be50ad84

SHA512
ac491e6de319eb26fe6ca713d5b33174ae371534b97d797b65cf2a3edd4c3dbe22e23c4230f3def0666e27764e9f25637d85170dd581761f8146154779da9681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77e90fdbbb679293fb81546263922579

SHA1
ec25b91a507e14dfc04da92cb00185b0e5cf7102

SHA256
99eeb8ac744522f2370b1ffd555209414b8324489f4289ca97850799d20584b4

SHA512
a35a392d849e7ec9777e2853306a41a992e7908735a8b1ff98fe198bb713935c63bbb1b6ee885801b210e0bcbf2b3744e0c221222b80e11a0da912f63b3dcce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b72b9ee04eb02ac50e2873db18c676b

SHA1
ca701139b6a19d1ae46c352110b5b37af2b0e966

SHA256
023d45d99497d4f772bc43e1ee8f6c5b6ffddf9b33d8ccce0efbc689bdd8a18b

SHA512
a5b44b5ecdec917edd8dd39c1c72b847f2ddf63a98811997af6f5b72734e7c4b85c0682bd87e0177d2f79db1088a0c0944da01dd4054f760b56e2439014b5bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3768f9457995e72a582167ea4b66e9b

SHA1
62e9501bcf29f03e425184012f8ffaccf09c0eea

SHA256
44fb99ff64faf15a3c48e48db9f125d0adc79be7c1e03821476555415a3bdbeb

SHA512
f8cc74e3b18141708bb9f8810a44622ab1bb6d7da8766e16d8376972a1a3d5b713b41d26aa59b2cca9ade14fb2f74af24a7efcd684473c51b39bfcc19c87cdde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
637c6985aaeab6e333988d6e21d5f437

SHA1
389cc66b7ce10f0b48033668c5d7560ad2300011

SHA256
b921e50b24fe5e762bb95bd76e71a189d2abce1f58f9fee6af7723dbbc5a111c

SHA512
575edebef5ef1ca54acf63dd77eb12d5a78919db41cfaad7806203766485bfd368d73a61f56439c188ab6e07759504799a7874044fff9753ef78480fdfc05a05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cd1dc92fc8a71062b1f59f220298b74

SHA1
1298c5d3d889d8ac1b0578ae0ccabcd3e46f8933

SHA256
647d92d6616429a3dda3456ec14d315fb03601f39a7d6a982fec079d872c9d98

SHA512
f9b97db7c0b8d3c8b040c67976d8529cdf6f07a7984a9fdd58fe7b55afe5964fb7404f5a0e2b9bc05dbfa1395391ac3f74b7e19148411531e681cc6e84cc0471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e830844630e99e971c9438d19a188d7d

SHA1
7e8cc407899bdb3868226a05f2b5c088cc7cef0b

SHA256
481e35003e5dea2df797aee35514eb8f0a4c51907cd8d6e8e44cfc7245ef5a2d

SHA512
2d44d4200f8bb5fcca90c3411d10c1fac26abf09ca1d2a386dbc3d2f7f17ec88626bcd5e461a35ecd6483620fda2e6bac50f38e13d58e051839ab2acbfb7c540

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF672.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF740.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1788-1-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/1788-5-0x0000000000190000-0x00000000001BE000-memory.dmp

Filesize
184KB

Download
memory/2352-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2352-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2352-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download