ramnit | 47432512c38a525a19699f82785f51a51f8098500431fac3f76db6df3759def9

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe
Size

125KB
MD5

4d852e62c20b3f6941161d2bf0ec7210
SHA1

dd3e43133bb4b7b2596833c1c2dabb561757ea51
SHA256

47432512c38a525a19699f82785f51a51f8098500431fac3f76db6df3759def9
SHA512

4a0177a5427765bbaea1e59453371f3449ff98c391464792a57709acdcaa7b11940d95db9ea65adf4ceebb8300a160524245530c9f2b1674d462492e9f21041a
SSDEEP

3072:dxf026qbJ1y4GNq5jz+/YiMaGhKFzSZ7:eqHGoq/TM7KU

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
4196	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/116-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-22-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/116-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/116-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/116-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/116-3-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/116-5-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-36-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4196-35-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/4196-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB892.tmp	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4628	3992	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153188"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3385218063"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3385061925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153188"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153188"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F5212DCE-C817-11EF-BEF1-7E3D785E6C2E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153188"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153188"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3385061925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3385061925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3385218063"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3385061925"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153188"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3385218063"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3385218063"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442484050"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F51C69CA-C817-11EF-BEF1-7E3D785E6C2E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153188"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153188"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe
4196	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4540	iexplore.exe
1936	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4540	iexplore.exe
4540	iexplore.exe
1936	iexplore.exe
1936	iexplore.exe
4472	IEXPLORE.EXE
4472	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
4472	IEXPLORE.EXE
4472	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
116	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe
4196	WaterMark.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4196	116	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe	82
PID 116 wrote to memory of 4196	116	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe	82
PID 116 wrote to memory of 4196	116	JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe	82
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 3992	4196	WaterMark.exe	83
PID 4196 wrote to memory of 4540	4196	WaterMark.exe	87
PID 4196 wrote to memory of 4540	4196	WaterMark.exe	87
PID 4196 wrote to memory of 1936	4196	WaterMark.exe	88
PID 4196 wrote to memory of 1936	4196	WaterMark.exe	88
PID 1936 wrote to memory of 2372	1936	iexplore.exe	89
PID 1936 wrote to memory of 2372	1936	iexplore.exe	89
PID 1936 wrote to memory of 2372	1936	iexplore.exe	89
PID 4540 wrote to memory of 4472	4540	iexplore.exe	90
PID 4540 wrote to memory of 4472	4540	iexplore.exe	90
PID 4540 wrote to memory of 4472	4540	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d852e62c20b3f6941161d2bf0ec7210.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 204
      4⤵
      Program crash
      PID:4628
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4540 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4472
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3992 -ip 3992
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
125KB

MD5
4d852e62c20b3f6941161d2bf0ec7210

SHA1
dd3e43133bb4b7b2596833c1c2dabb561757ea51

SHA256
47432512c38a525a19699f82785f51a51f8098500431fac3f76db6df3759def9

SHA512
4a0177a5427765bbaea1e59453371f3449ff98c391464792a57709acdcaa7b11940d95db9ea65adf4ceebb8300a160524245530c9f2b1674d462492e9f21041a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
febff5e5b64433316ee5f116c5c14309

SHA1
55a533777edeed0d18304f073d59d5ca1e5c7737

SHA256
888dd735b3cf97e714243c7ecf44064128c4a97452b90ebbc66e317a113ef9a4

SHA512
cbadeca5bbd2528b4af7ad6d053483adac27db83bfcd8b75312a5aa4b09302f729b67a04bbb9af840cb3abd78ec668b5a6c8746685ba0f15780b5e0ea3dd88d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
92cbfa11ee078d1aa0cc37ebfb85e7f3

SHA1
c9bd544ebb0b1046a54c05244c28c89acbd516b4

SHA256
6d23c52c8a0b615bde623ed2abdd48243fdad540f96a783c2c77e9cf245f5323

SHA512
d5b67a762f85efee0293d27e1b2230816222753631d2ed868031116025d10ae44e621b266402512f50564830cf44bf959faa0e74d77fbcf2d1b848c960fa556d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
eeddb6d55109307fee32e3ad7a46aaef

SHA1
a0a6e926797ba3425a7c468073a1eb9bae3b5a24

SHA256
0a35626f58030e4a57ba1a8acf3c572d00f981d55075842c471f651475cfbe85

SHA512
78f6cfdf35a3f5fa923139f8962586ea561053a17d6072443f7b76627887525f4731b1ee2744dcf86151eea1391ec9a5197387d9b21ac864f8b8ffaa0ca74d5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
241b3f56902e14f2445466fa95261ad4

SHA1
b14cb4dcca7a105b9a72696b0faba4d6bf1baf1a

SHA256
cb4f6d986ae8c11064ae7f73fb0e26d7688ead26a065ba76f7d14e633b3ffa6c

SHA512
55bff686840fa67157e9df1077f0035ec49ada8fdf703b789318389c9bff33499f66ea1950972adbdc644250bf570550f9c27a8e46998239a5811f57e1f97df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
3bd92866d823479d847d632a45278e32

SHA1
69ef53ea78d3b5b81b930cc21ff663541d924c34

SHA256
1d7d4e091e03cc5c7e467a4fc5e68a6840cd51302d6d8e911beeadac909a2165

SHA512
fb69aeb449eafd3eeac9aa003103fb2ad7324799a317e979255d4af49ba360164307e58e9d2a0fb4991d36e2560aa2f26db2d5cab4700fc97250d373f468b61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F51C69CA-C817-11EF-BEF1-7E3D785E6C2E}.dat

Filesize
5KB

MD5
78001ec6fc722a17c958d196328a97de

SHA1
7c890e6455d33956ddd6d20613784c811997bf6a

SHA256
9824cbd152c0a793b0fe1d9179d76b1accb0594c6c0f5c1643e96d160bc16576

SHA512
165a24ca3f24d9080a142978bc34f6135541c906aa90a2e95dd26eab6c0b6c77127523adfd3e16b5f17a09227b8dc1e2a3f6ccc1aa30b82b0257c05b922f4f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5212DCE-C817-11EF-BEF1-7E3D785E6C2E}.dat

Filesize
3KB

MD5
c607ac97f322edc81e07af523dd6bb11

SHA1
ff989ef7e789c4f490ec741fb405b25220baed2d

SHA256
669c605244c8fc2b9a234274fc856f54ec8ba7c0ffa67986e72f7c2c97aa7aa1

SHA512
e240dce3f840cf23b837b1e8b3a9356c321b2cb1e3febdaec7ea4c45086d7730d7037ccd9ebb9d97f20f77a4d60e13bb4432ed458f6bc934513ec45191e25ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3CA6.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/116-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/116-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/116-1-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/116-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/116-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/116-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/116-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/116-25-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/116-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/116-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/116-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/116-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3992-31-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3992-32-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4196-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-28-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4196-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-29-0x0000000077E42000-0x0000000077E43000-memory.dmp

Filesize
4KB

Download
memory/4196-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-34-0x0000000077E42000-0x0000000077E43000-memory.dmp

Filesize
4KB

Download
memory/4196-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4196-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4196-33-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4196-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download