ramnit | 5c77aa10fe11b7d26547b0ec4b526b93f37ec549ddd153b24a8e706169e7a60c

Analysis

max time kernel
94s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_090f5e1fc96bdcac4b62013c7dd1355b.dll
Size

144KB
MD5

090f5e1fc96bdcac4b62013c7dd1355b
SHA1

8a482b1311016c17fd439d8241e07fee49b9358f
SHA256

5c77aa10fe11b7d26547b0ec4b526b93f37ec549ddd153b24a8e706169e7a60c
SHA512

5158aaed72803791c3d7c520b3248238337d071e7b5a3e3f71dc6835bc220e89cf553b7ac81246115488d35a9429d2353eb8a62bf58c26d2cdaada44c0e2afcb
SSDEEP

1536:1ibToqp78CcWuDSPCw8YhekzkuGWq5A//J1Z6sQflFde0vms2:1ibTTp78CcWmSvFekzk7WJ1Zg9/e/

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1744	rundll32mgr.exe
4104	WaterMark.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1744-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4104-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4104-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1744-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4104-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4104-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4104-43-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9DB7.tmp	rundll32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32mgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1656	4556	WerFault.exe	82
2692	772	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2988657456"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444273721"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2985376512"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2985220150"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DD8A11AF-D85E-11EF-B9D5-FA89EA07D49F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157355"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2988657456"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157355"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DD8ED659-D85E-11EF-B9D5-FA89EA07D49F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157355"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157355"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe
4104	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3640	iexplore.exe
848	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
848	iexplore.exe
848	iexplore.exe
3640	iexplore.exe
3640	iexplore.exe
4924	IEXPLORE.EXE
4924	IEXPLORE.EXE
4912	IEXPLORE.EXE
4912	IEXPLORE.EXE
4924	IEXPLORE.EXE
4924	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1744	rundll32mgr.exe
4104	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4556	3976	rundll32.exe	82
PID 3976 wrote to memory of 4556	3976	rundll32.exe	82
PID 3976 wrote to memory of 4556	3976	rundll32.exe	82
PID 4556 wrote to memory of 1744	4556	rundll32.exe	83
PID 4556 wrote to memory of 1744	4556	rundll32.exe	83
PID 4556 wrote to memory of 1744	4556	rundll32.exe	83
PID 1744 wrote to memory of 4104	1744	rundll32mgr.exe	86
PID 1744 wrote to memory of 4104	1744	rundll32mgr.exe	86
PID 1744 wrote to memory of 4104	1744	rundll32mgr.exe	86
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 772	4104	WaterMark.exe	87
PID 4104 wrote to memory of 848	4104	WaterMark.exe	91
PID 4104 wrote to memory of 848	4104	WaterMark.exe	91
PID 4104 wrote to memory of 3640	4104	WaterMark.exe	92
PID 4104 wrote to memory of 3640	4104	WaterMark.exe	92
PID 848 wrote to memory of 4912	848	iexplore.exe	93
PID 848 wrote to memory of 4912	848	iexplore.exe	93
PID 848 wrote to memory of 4912	848	iexplore.exe	93
PID 3640 wrote to memory of 4924	3640	iexplore.exe	94
PID 3640 wrote to memory of 4924	3640	iexplore.exe	94
PID 3640 wrote to memory of 4924	3640	iexplore.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_090f5e1fc96bdcac4b62013c7dd1355b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_090f5e1fc96bdcac4b62013c7dd1355b.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 204
        6⤵
        Program crash
        
        PID:2692
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3640 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 608
    3⤵
    - Program crash
    PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 4556
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 772 -ip 772
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fbd57568c7e969025fd7a77d6a9e5f45

SHA1
d8c221556c7dbeb55cbfe80a3006b6578e2ae4bd

SHA256
b820d32dc781d4a3af1cc452d73d4f57e1d963da4cdec90cb0660837657c8328

SHA512
c8d4e5b78e01570d02f0953bd0ebd818ed2985dfc5006ba39ce101693f1bc9de8550b9149d3028911ec5c1371b813f0bc8391d10294e04022b52a91c3d47f5cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
3403c0140c30ab00bfff00d857c5a851

SHA1
9d7a54c9470c56fd027a88ad7b4ff2c66d625dfb

SHA256
2119e61ccf9d0a10544beb2380586f5c031d13753f57d409355c5a4a6d945778

SHA512
2067712cc9b1b8042c3b6bb74b7f410c837efecfab9f1b876419d3b362867b81a4716a9fefb2d54a6005cdc4d0d5a28b37e35146c6ed156d7901dbd102d55d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c5451b444b5cca639ff2b3f27927ab12

SHA1
a15d74df1d602b0645c7cf38ae083df2135c2e19

SHA256
1543cf6bd347d2062359b4864c1b5b183320eb95ca53d0164256c21b3bbec5f1

SHA512
6466ed89d77bb6337aeb66d83f3217dc57a76d7c1ba2e349953200be97f371b9c7d7c3e84b230da7cc12bb82f4e8624e942e9d3c3a7afc0d5523c869f1c094cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD8A11AF-D85E-11EF-B9D5-FA89EA07D49F}.dat

Filesize
3KB

MD5
093df94d6be703b845d00f8fb4663bf2

SHA1
d87187cf2beaeae7401250ffbf2ecbcc3e0bc07f

SHA256
94972ee94b57df81dd51d6f64106813d568204e5d8d576fd9ac5ec1b34f78605

SHA512
a1eacb3959ee5793c7f54b7c5e8ee29e42ff3e1e0319eaa1fbb7d9e591abf635e912faa75d6bf0510635576547073e2155f03ddc6542ecc5408e92264845bbc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD8ED659-D85E-11EF-B9D5-FA89EA07D49F}.dat

Filesize
5KB

MD5
29fc116350a25fe20127f23cabf60585

SHA1
f9bf91e3e847310d40ba12c12975de4f6f40601e

SHA256
c4bedfb7ee0b872bac73c0c7e580ddccdc146dd29a626c084836295915f380e9

SHA512
a9ea9b99761f5624bbc8636bb9a69724fe75df25a739835b55d8fb0ac74c3b4839d48b74c163bf1f83ed055e6e5630aab7a74867c04ef50be1f9b482ddbc5281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
0ff8c1c8de1f818a51512f4d894e30d1

SHA1
bd99a343ea5ca5ebdd7207651478a8425054716a

SHA256
7cc54785e229b1605103e3219969939eb80f106e9edca3cb380917ac33526d28

SHA512
da23767aa25ba5c1bb55c338fa82b1b60853c83fd1e4af28cc023fdd1405b46717bc58137d7bfe7a3a581dcd23de0520ab6ace88434b8cf35b3a0278f516dfd2

Download Submit
memory/772-34-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/772-35-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1744-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-26-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1744-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-11-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1744-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1744-5-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4104-31-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4104-37-0x00000000779D2000-0x00000000779D3000-memory.dmp

Filesize
4KB

Download
memory/4104-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4104-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4104-38-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/4104-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4104-32-0x00000000779D2000-0x00000000779D3000-memory.dmp

Filesize
4KB

Download
memory/4104-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4104-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4556-36-0x000000006D080000-0x000000006D0A4000-memory.dmp

Filesize
144KB

Download
memory/4556-1-0x000000006D080000-0x000000006D0A4000-memory.dmp

Filesize
144KB

Download