ramnit | 1087bfe8fce8919986085d961266a0b3f114eb119127423921327fb16f007d25

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61706e573be5f1713984ce5aa940efd0.dll
Size

257KB
MD5

61706e573be5f1713984ce5aa940efd0
SHA1

62c0818cc5b9cf9398ed3da09831eda269d805d9
SHA256

1087bfe8fce8919986085d961266a0b3f114eb119127423921327fb16f007d25
SHA512

c9b3ae6978254747a9014d1386ceccd0bfbad17cf0470f4c00fc05841a246d10c74713c7e6f57198b09ea5cbe8c9133b868eca9a9a1d28914852765ab056ada7
SSDEEP

6144:ysoA62TjfQ2kbexQ8sd9ICmwt8XP67aaqeO6BAG:5oA62TjfQ2kbexQ8sd9I1wt8f67WyJ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2492	rundll32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	rundll32.exe
2080	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f0000000139a5-4.dat	upx
behavioral1/memory/2492-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2492-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2492-18-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2492-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2492-21-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21330091-C89D-11EF-9E7F-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441938134"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21309F31-C89D-11EF-9E7F-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2492	rundll32mgr.exe
2492	rundll32mgr.exe
2492	rundll32mgr.exe
2492	rundll32mgr.exe
2492	rundll32mgr.exe
2492	rundll32mgr.exe
2492	rundll32mgr.exe
2492	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	rundll32mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2036	iexplore.exe
2896	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2036	iexplore.exe
2036	iexplore.exe
2896	iexplore.exe
2896	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 1224 wrote to memory of 2080	1224	rundll32.exe	31
PID 2080 wrote to memory of 2492	2080	rundll32.exe	32
PID 2080 wrote to memory of 2492	2080	rundll32.exe	32
PID 2080 wrote to memory of 2492	2080	rundll32.exe	32
PID 2080 wrote to memory of 2492	2080	rundll32.exe	32
PID 2492 wrote to memory of 2036	2492	rundll32mgr.exe	33
PID 2492 wrote to memory of 2036	2492	rundll32mgr.exe	33
PID 2492 wrote to memory of 2036	2492	rundll32mgr.exe	33
PID 2492 wrote to memory of 2036	2492	rundll32mgr.exe	33
PID 2492 wrote to memory of 2896	2492	rundll32mgr.exe	34
PID 2492 wrote to memory of 2896	2492	rundll32mgr.exe	34
PID 2492 wrote to memory of 2896	2492	rundll32mgr.exe	34
PID 2492 wrote to memory of 2896	2492	rundll32mgr.exe	34
PID 2036 wrote to memory of 2684	2036	iexplore.exe	35
PID 2036 wrote to memory of 2684	2036	iexplore.exe	35
PID 2036 wrote to memory of 2684	2036	iexplore.exe	35
PID 2036 wrote to memory of 2684	2036	iexplore.exe	35
PID 2896 wrote to memory of 2428	2896	iexplore.exe	36
PID 2896 wrote to memory of 2428	2896	iexplore.exe	36
PID 2896 wrote to memory of 2428	2896	iexplore.exe	36
PID 2896 wrote to memory of 2428	2896	iexplore.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61706e573be5f1713984ce5aa940efd0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61706e573be5f1713984ce5aa940efd0.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2684
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b4782c4b9fb4f6906377a05fa283aba

SHA1
020c916b3c5e570d4544479af52659bc1fa8f1bd

SHA256
1000f06a9ab9c3cad84b400a5079243d12860939e8491da882c669718b0b6abd

SHA512
40cf13ae1d4d55a42b21bed7a0cb82e725d28e7944c0a2df8a05c5f55e6c9cdccb1f3d3dae07c92fd3455fb203be0e832355e3ee063916784c563c7a16609616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d4df980ee83409a629ab037fea5492a

SHA1
56a349df2959b5db0778b0bdba7974c69292459c

SHA256
3406e4ed6f97b662d4bc10f1b1bc1dba755fbb7a254857325b32bdf1764ebeef

SHA512
f37e145f6bebbe2300978d2695aecafe61dd71d480a9e60c0716ac46c339db3125096e74bf222be7e8483d00ae349bfca850270bdcb57885f51ce18c62ecece0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c2fef146ab09aedcac0603ce9a39de0

SHA1
e3a7a8d517f1a01a75278d66c7fa722935bc465e

SHA256
b870c2fa5229444259cd91904221893b9e9146a7b264ae8de2fe58898b4e4a91

SHA512
8233fb661442ef221390148f0de6057dac957772fa56b23c80461bd6d8f1402529cb81805f2b08f26735060455b371654126db41329171af59d377b70e8cfa2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6edd1c3e7aa1092c15949313dbd25786

SHA1
955477c8439355403b42792c03f5a782a163b9f3

SHA256
c3f427e7570a18732186b097f778fe85823f282e54b9cab4e5a400cc40c5de3f

SHA512
69513339353115eac263a659e7d87556708caec2db340cc59a9ffe3d3783af66090181990c2ac200034efddf2fd13e99e653a8b4321b963b78d2008fae7442b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bbc10de54857a7521a425b62512f4ee

SHA1
c80112e81cf586a4b898c4265222df55e25990bb

SHA256
5e74944878201c043e679430569fdb3d5d0a29530fda8fb36b515bc20f0069a8

SHA512
4171c80dd296dd91bfbaa435ac79cf0974e8ab3d7d73c29a76c5268451f86ac86de0fcd24cb5d42f922d5e11f6252f7c23735355c2657ceca8d07ae28866ce20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8355969ae3a0307043dda3540c71ea34

SHA1
5dc70e2fc45b10b44596fe793d51eed0c64b49ca

SHA256
2a8872d0a5dc45b78910a04154da4e161b5e0d7af577df709adf990e881701a6

SHA512
1b5f23598ded8a9f1927abe176fc0c8be0fbc1d5494c1e8fc1947430ca2cdd7a1928682ff00bab82facbce0795e4d0e886dc63fd302a3b23fdc3ab2e38218990

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a015dd8d4938a84831fb3c732c1d1fc

SHA1
1094bb9ecb074db5515bc5d441c17308195b6f07

SHA256
9b571d504f768cecc6cda90ef80845109cddb856bcd64040c1a14cae2a3927b5

SHA512
d9d4cc274345b08249f903dabd979f8aa1d1d4d83064719df1f85a7e74d15eddd306e635d2ec9a5ba5b576baf71ed79813e142b3c6d0b84814d7339c7c162cd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
527d9a95893416560a746ca4e400d2c2

SHA1
7449a9c52f15934ba0fba1967af7b0f4b6ba29d1

SHA256
320d8d2ad78b67f052a611c9e933e459319f583a36f3fe6a456dbd2a92de8b9a

SHA512
6b423d408368e7bb4985c59ab5649670d194b22b808bb67707f88b5c5771bc0806d5b1491c2b0b9d4324995ce023b7f1fe9351f65a7009b207fb761459046624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f56860b57a026f0aa635a5ec09bc8a31

SHA1
0f8e803e194faa46891f05964f227480e59a5ff3

SHA256
0ffda44dea80f0977aa36fb3819ca0e78dd3b0a53f587462718a121062b3aab9

SHA512
40f2801d98c4fab62c67bd495752c40bdcf771d6f91b8eec95db84209aa7311ca04d99b85130c7c238d9861065142cd43e79c97ebb9442dfeebfd42aa4b97add

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee200f131c79cde05c322fcadbd37290

SHA1
7c7f61367c1911df2f98a5295f44a4c22c00e7bc

SHA256
ca5e311e2a6bdc9b20e18a3d225309d33d9aa70990e30c36a4e64ec85b9e0ff9

SHA512
bb354f6327e40edf77ff1202a4cd8308499ff7b744bf57da94624abc42187e24c4be0a4acfcab38ebc86a65517d05d858c61c0b14491113461480e352ca168b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
453b38b8e9ddeea1b92a0d0f0e671f18

SHA1
6f11e3a276953ca1c729014fb4fb42b87728f9e3

SHA256
ee64e4f096279afac6de0f361d85c18ecfb43ec71ea19ba41ff67b73c4eab6dc

SHA512
d2a9fcacc8319bb239f1f5b9fbac96c3b2ba5f187958e96efeff94b14e2a2ef047348f01820307b394a46ef10c833e023ef6113904e61cc0f25b7998d492d4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd811b4e327f129b08c687bab62b250d

SHA1
878c9cf9e1b0f59f69415fea7ff1d0ea7d396629

SHA256
833f097d4d80292eccc7fd34f0bfa54cadf378961cc3dfef9e0b382f83ea96be

SHA512
dc08da40388c8f4eaaf810049fdb2893f4e6b369a0f728a8ceda4cc0078ef670d15da2a25150cdcf7cd89553be250844b3254f5c5ba45128e837df71ba2340fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc31a0f3e9336a3cedc38cdbc642b941

SHA1
8efc1dea619257c350e00c7c1941613212b87558

SHA256
f3c3bd3eedf9991d0703328c771813b446f693e6c4df6a3122851adab029a454

SHA512
cd5fde95d55b0f9b7ae41162dfaa5633d683fecd37237338a29c5f7d8c797df4d307ad9395a9811133748af2ecf052177d2aa19a6f3b0dfedeac9acae8dd59db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8e5e9cd70f41efeb37dfdfaace032b9

SHA1
2297ac07434e678a0abd4b1fe967b282775c05d2

SHA256
75a4d2dc1a28a7628aa6b17403944b37831f43aba8c06cd899733923ff1717dd

SHA512
705d7c965be20962ab404ae4cbbc8754842147e3cd4dfd04b3631bb0fb3fd0a7361fd64da2b1a6bd6a9cf8a15e5279a71affa33d54a3090704811ce1ad1ed28b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edbaca59d5893cdec21e535eb13af108

SHA1
c52cec0389b5b31a291288dede0e14c38f945931

SHA256
1cb53b3bcc640a13b35aff42160029eaeaf09b11aad65e456712b6a5d183b127

SHA512
6ffbec80d3758c8bf00e0ce5ab9b44076f554eb30d5fd80b821a4d1b14a400c6af9728ac5f9c237a57db58fb99570a2f8c5f2f178fc360fa81dda9eceb99f797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c311edcfdd6f287046d5a0c3e6e258ff

SHA1
4e768621a0924b3515334e04e7f50596f43437ba

SHA256
d0f7d40e0d5a6933372acbc146c1f2c45857df13480e718a12f77b9271714013

SHA512
b31754cd364e4f807b4e2ca288f78af2f3a3e26ea76d5ad717db34c7c32df726b1dfc815956f246dcf880d274efdb334326f4564baf16d6f056cfeb4dc760e9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab116826988b8c1e4a8b155bcd090c44

SHA1
8f1a4a1340d614257072232e0dd0ad92de867a4f

SHA256
1ee8ca9876eb543c63178f2c4f1064777727b255c615b0cbc85ac936cab73b4a

SHA512
586f6bcb81a997ad43b40d9f38e31d0101225dab5db7718cc1ef704927fbe82da5bc3ab5f571d5833c3ca2b38dc84773e103ee05d7b0a9ad10e7e759a5bde3e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
865928410ff9a211249b8460b34c4d43

SHA1
eb7dfdd196aa77bd5b835c8dc36f444b52a3b88c

SHA256
41096bd843120392f487b8b143d86214e3d432eef485c1fdb9b80a4c8aa30bde

SHA512
1832482d6ae8d5aa8ada4a570e0b65b7389ee43c582bc28c212e12adf102e27850a03e63dc859cafbcf47116e74252d9f66af60dec5214e42e7153f1942ab535

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
764a55b333f7607d9839d84b9c3f6467

SHA1
e635648f89cc462f7550ea472e8b85e37eaaf5ce

SHA256
3e46c904b0a6e93afed7870f661639aa5ab774ee06aaf2767634f598fc3bfa29

SHA512
69946ed748b35e1176526a0fd07cf68b410bb457540a5536cd0db9fa39f51bb68d47aae66b851f5fd14e520670803dfac3641de1fc9fc858d6bb01eabb2d3bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21309F31-C89D-11EF-9E7F-EE9D5ADBD8E3}.dat

Filesize
5KB

MD5
877467f1ff12ef011cf1cc516d9fd6f0

SHA1
1baae152ed5db6df8a42b217ec764467b12ced01

SHA256
e99f835822c13f9e900e0e6482bba94b45db51f5fd3b1c38d38efec9e0fe1cd7

SHA512
96496d37e89a6e58d35161b3fde5aed10134db22a72438c50abaebbf231f073cd016047ea5c89068074c9cdb07e35e9a95b01d430d58c7232e72c6548d85bfc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21330091-C89D-11EF-9E7F-EE9D5ADBD8E3}.dat

Filesize
4KB

MD5
b323229eeb64ba3e3349afede3206bd5

SHA1
ed2c0b18458ad8c6e4ed138eeae80b7ab54e5833

SHA256
d2aa832004f4128004f7ec1960341d404179ff7863ed483a6a5410bf357d53f5

SHA512
f646eaf1d5cb7d373d15b3f4082a765246713ee96d7e31f3e251d1d66c44b55d414174488f96e5761e79ef78b8870e072caea89382241d8326da43830dd91afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab225.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
105KB

MD5
40528988aff2d1f61af5ff359434afb5

SHA1
1100e10d796d6905d3aa25a26e0fa4fb7b23f356

SHA256
e458abdf73c87d6e84d3f9ed39483f0662b62d3f722c8db4a011586aa14a18bf

SHA512
166601caf50154f66f10d5e1fa3718b2fc12d2a6a8361e4d6766a19e6356da4948784e1dda9b23789f9975f6ccb5b9144b1c8325f63f64c228cee2d7f9704ba7

Download Submit
memory/2080-6-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2080-2-0x0000000074800000-0x0000000074844000-memory.dmp

Filesize
272KB

Download
memory/2080-1-0x0000000074850000-0x0000000074894000-memory.dmp

Filesize
272KB

Download
memory/2080-3-0x0000000074850000-0x0000000074894000-memory.dmp

Filesize
272KB

Download
memory/2492-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2492-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2492-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2492-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2492-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2492-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2492-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2492-21-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download