ramnit | 6dca98452222c44286ef99ebc16aae2c7434bf2ad4aa9206ecd89b3f55459abe

Analysis

max time kernel
140s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe
Size

107KB
MD5

6bec38d0302aee4aee65758b4803191c
SHA1

8772ff6579eca89f6d644326b8f0821ece71eb7e
SHA256

6dca98452222c44286ef99ebc16aae2c7434bf2ad4aa9206ecd89b3f55459abe
SHA512

9e2bd07d45062c2ba52dd4d59bc2b9f43b380e77d83ba34d2ce7c8cfd23f90cf1de9b2034099717ef7a328832ab3e5a340013969e1da049afa61978c477d1ab9
SSDEEP

1536:Myta9lxYNLHaJZHYCsVInIez/8jY0o4Bda0EWhz9Ps2Go+HOnjJFWhgKHMwtUg:a8AHYonVjB0ouxPSVQegg

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 5 IoCs

Processes:

6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exeDesktopLayer.exeEugoqy.exeEugoqySrv.exeEugoqy.exe

pid process

2096 6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
1684 DesktopLayer.exe
2768 Eugoqy.exe
2664 EugoqySrv.exe
2792 Eugoqy.exe

pid	process
2096	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
1684	DesktopLayer.exe
2768	Eugoqy.exe
2664	EugoqySrv.exe
2792	Eugoqy.exe

Loads dropped DLL 4 IoCs

Processes:

6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exeEugoqy.exe

pid	process
2424	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe
2096	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
2768	Eugoqy.exe
2768	Eugoqy.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000400000-0x0000000000427000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe	upx
behavioral1/memory/2096-8-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2096-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1684-20-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1684-22-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Program Files (x86)\Eugoqy.exe	upx
behavioral1/memory/2768-25-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2424-35-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2664-37-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2664-32-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2792-42-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2768-1153-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2792-1163-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Creates a Windows Service
persistence

Drops file in System32 directory 48 IoCs

Processes:

iexplore.exeie4uinit.exeEugoqy.exeIEXPLORE.EXE

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1AD4423C-1935-11EF-805B-F637117826CF}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1AD44231-1935-11EF-805B-F637117826CF}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1AD44233-1935-11EF-805B-F637117826CF}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Eugoqy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_71F4740D37287A91812B9479338ACF24	Eugoqy.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475	Eugoqy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_71F4740D37287A91812B9479338ACF24	Eugoqy.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475	Eugoqy.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1AD44231-1935-11EF-805B-F637117826CF}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe

Drops file in Program Files directory 9 IoCs

Processes:

6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exeEugoqy.exeEugoqySrv.exeEugoqy.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Eugoqy.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\EugoqySrv.exe	Eugoqy.exe
File created	C:\Program Files (x86)\Eugoqy.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px12E5.tmp	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1352.tmp	EugoqySrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	EugoqySrv.exe
File created	C:\Program Files (x86)\EugoqySrv.exe	Eugoqy.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1AC13731-1935-11EF-805B-F637117826CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422652002"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

iexplore.exeEugoqy.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070500040017001200310001008401	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 70f154dd41adda01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Eugoqy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{943FE2C0-710E-4BAC-9DA7-7DA605EE7DA4}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 50cd4ddd41adda01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070500040017001200300037002303	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Eugoqy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-85-98-66-f7-8e\WpadDecisionReason = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{191BC2C5-EF2C-4211-9327-133A8CC5487F}"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{943FE2C0-710E-4BAC-9DA7-7DA605EE7DA4}\WpadDecisionReason = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Eugoqy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038c13c7e73ca8a4295aeba81cc3e559900000000020000000000106600000001000020000000cddb8967cef392dc8964f21f8558fb1bce41a6d404b1776116a375c357c877f9000000000e8000000002000020000000dc3b15d839943f7d3ab9d656cee9feeaaef5b5538ec0907739777a6fe615a78450000000b306027cc03be9387cf98a4ade42dea2cc56f665ee1ae0157b39689ce34febc7eda69b57b6ee7ee11a6da10d32d282851a1d5ce283fd064cddbbd255f81e23ce05251ba845230738709df5991f51e301400000009768e85cab3907f43f967984d65460f168ba17abb5e63489e8c3ba65527ed5ec62fe7a061c56caec22629a6a9735fc7e0d30ae16b660872c263a06e683672d90	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Eugoqy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = d05257dd41adda01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{943FE2C0-710E-4BAC-9DA7-7DA605EE7DA4}\WpadNetworkName = "Network 3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Eugoqy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exeEugoqySrv.exe

pid	process
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
1684	DesktopLayer.exe
2664	EugoqySrv.exe
2664	EugoqySrv.exe
2664	EugoqySrv.exe
2664	EugoqySrv.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe

pid process

2424 6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2424 6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2424	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

iexplore.exeiexplore.exe

pid	process
2612	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe
2536	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2612	iexplore.exe
2612	iexplore.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2536	iexplore.exe
2536	iexplore.exe
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exeDesktopLayer.exeEugoqy.exeiexplore.exeEugoqySrv.exeiexplore.exe

description	pid	process	target process
PID 2424 wrote to memory of 2096	2424	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
PID 2424 wrote to memory of 2096	2424	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
PID 2424 wrote to memory of 2096	2424	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
PID 2424 wrote to memory of 2096	2424	6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
PID 2096 wrote to memory of 1684	2096	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2096 wrote to memory of 1684	2096	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2096 wrote to memory of 1684	2096	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2096 wrote to memory of 1684	2096	6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 1684 wrote to memory of 2612	1684	DesktopLayer.exe	iexplore.exe
PID 1684 wrote to memory of 2612	1684	DesktopLayer.exe	iexplore.exe
PID 1684 wrote to memory of 2612	1684	DesktopLayer.exe	iexplore.exe
PID 1684 wrote to memory of 2612	1684	DesktopLayer.exe	iexplore.exe
PID 2768 wrote to memory of 2664	2768	Eugoqy.exe	EugoqySrv.exe
PID 2768 wrote to memory of 2664	2768	Eugoqy.exe	EugoqySrv.exe
PID 2768 wrote to memory of 2664	2768	Eugoqy.exe	EugoqySrv.exe
PID 2768 wrote to memory of 2664	2768	Eugoqy.exe	EugoqySrv.exe
PID 2612 wrote to memory of 2808	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2808	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2808	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2808	2612	iexplore.exe	IEXPLORE.EXE
PID 2664 wrote to memory of 2536	2664	EugoqySrv.exe	iexplore.exe
PID 2664 wrote to memory of 2536	2664	EugoqySrv.exe	iexplore.exe
PID 2664 wrote to memory of 2536	2664	EugoqySrv.exe	iexplore.exe
PID 2664 wrote to memory of 2536	2664	EugoqySrv.exe	iexplore.exe
PID 2768 wrote to memory of 2792	2768	Eugoqy.exe	Eugoqy.exe
PID 2768 wrote to memory of 2792	2768	Eugoqy.exe	Eugoqy.exe
PID 2768 wrote to memory of 2792	2768	Eugoqy.exe	Eugoqy.exe
PID 2768 wrote to memory of 2792	2768	Eugoqy.exe	Eugoqy.exe
PID 2536 wrote to memory of 2520	2536	iexplore.exe	ie4uinit.exe
PID 2536 wrote to memory of 2520	2536	iexplore.exe	ie4uinit.exe
PID 2536 wrote to memory of 2520	2536	iexplore.exe	ie4uinit.exe
PID 2536 wrote to memory of 2992	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 2992	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 2992	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 2992	2536	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bec38d0302aee4aee65758b4803191c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2096

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Program Files (x86)\Eugoqy.exe
"C:\Program Files (x86)\Eugoqy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files (x86)\EugoqySrv.exe
"C:\Program Files (x86)\EugoqySrv.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
4⤵
- Drops file in System32 directory
PID:2520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Program Files (x86)\Eugoqy.exe
"C:\Program Files (x86)\Eugoqy.exe" Win7
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eugoqy.exe
Filesize
107KB

MD5
6bec38d0302aee4aee65758b4803191c

SHA1
8772ff6579eca89f6d644326b8f0821ece71eb7e

SHA256
6dca98452222c44286ef99ebc16aae2c7434bf2ad4aa9206ecd89b3f55459abe

SHA512
9e2bd07d45062c2ba52dd4d59bc2b9f43b380e77d83ba34d2ce7c8cfd23f90cf1de9b2034099717ef7a328832ab3e5a340013969e1da049afa61978c477d1ab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
45f1a67a4d58c8b6998e03830b83626f

SHA1
8054d7fcb666edbfe1f6d6805cd07a72e566142d

SHA256
46fe9c3e53f99d3ff6659fe1d4e94ffc0c5bb79c8c38299a34bd40a40acef7b3

SHA512
33e2c158d32a9b6f7383205c3bc5206f5707e1acd8bec7d348e5e9898e242c076e4a3c4c250654729e4f7b2027ed1c3d6ddfae7d1bfce38118d9d6a7d22acac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ac1c35f5e4a0d3904f306383ad33977

SHA1
08be9ceaab856141ecef5b0db2dc5779eb5cc7c8

SHA256
30c659349ee06646eee40fd80eba9b7971b48e48787b0d88ab0cb4d6726d1505

SHA512
d4ce1cf2548b1e9a3b252334dd8b80c96230b0f5bad3be0035dde84b7e2ae95df3ca5a9380d511626deafcb64537e625b77f4e7367f41bbf91b0f374072fca69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b92a5cc17f1550ba241eb3590254818

SHA1
75337ac42a74bf05c1b12d59908e7df4b948a021

SHA256
86cc3ca3ea2f34ce5a3b88eab04a4ba988bf66b7bb61785cf4cf63a63c0af919

SHA512
4be3f6fd0ea68b4594a253fa69587346f67e4e3fe1ba9fc3c6789fd307672a9cda5ba2462a0e62322c26488c39b2af49541130b100ddefc7dfb06e9522988aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a639449dec4227d168bbf2d3a84be479

SHA1
c2f787e9fd0fac1e3c4ed6917e2bebc278aa5930

SHA256
02c7f2e698ca507870d167ffc7feb11526904e81c062ad98d31982db4d975610

SHA512
79830bc469389a6bc67297d870ab1510064b98e8ba56a2df8babd5ca2007bd15234278b47a4793bc38b80cbedbb9c5ebbc8073e5d3df80686117410147764114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e657261ce989db687cc0a83b5a192de8

SHA1
595d6e5fbb1a0b314b2a94743a78405f628eac53

SHA256
ec27033a362ad687668f4d0a462c4a56e7b6566c040d2be91b360bdadb2137b5

SHA512
cc869ae8a9334e56ef4b7d104bdc3c5f334ee2395a8756f0d3c2109f72823a130be6c41d0269bfc5fdb1486906cb6840d40f8440866344ef1eefd149d57a8834

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
edb91cec92539c0cbc68f18bfaf05df7

SHA1
2d1e95d3baa9e4f884310bcc978f53bde6677fc0

SHA256
ce484ec184796ec3db9cedf4c5e34b4ced99573b5d876ce6e47381d6c003c303

SHA512
1f1f11088d58a7afffc481a6003de300f8651e9e70b12e814eb227493ad651a01acde59db17c6ee487527b0075c44c019b4b564f94b28435b4c0f227ab3c8b16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6dad483fffd2551bf4f73c6dcc1047b6

SHA1
bcc15ddb730a66cec26ab46a239033b0bed95fcd

SHA256
fbb500ed67dc8892590a54242f0978f5485459eba9258921cebf785cd26ae508

SHA512
33c983c8eb677840a84f5d114f94660928c33157a998a9f0a964bb357cff0ee465bda64dde81889670b1663ede24ed502156872fff47940e59d49973a6f57814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
223456aef1951c96be180f55533c1e54

SHA1
babafc7f8c1d3bd87e7f6cbab81ca318d1640d78

SHA256
5408ead4fbaa72c6ec92e4094c03b9c6c656715bef584aac92e0f884eedcc98b

SHA512
94f6dd0d0f1fb9b660bfd8359f54dbaee2f4d496972dd8e3a7c878c640093f4b34222fe6a23009ba2746f51ee61929f6aba9ddd362db5bc8441147196a6792f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f008980fe4d77a8aea6ffcf6c9ef320d

SHA1
6e7a0f329d3fb45b7c70e89195332eaf9eed0b89

SHA256
d3507a619468d7e83e7182857c335a352b4e0a10dc45dd2a49251698a7ec0d15

SHA512
e95f18c3d6900378491feb3c866c21ebe80d37220d378086ffcf47c889cf48c3bd73d2c2abb5b48ce2e57d547cc90eeb9d9955583961a6f3276fa4d07e768a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
941bbcc759c74bad73b2db5c5800d6b8

SHA1
36d2632e5e2b2f6c4a909d472f6a53c90a868dd2

SHA256
e3e1eba8178b93939fb26b742699bd0d3c9d96d51e3c0f22d76b870b9aad572e

SHA512
ffcc63bcdce66c68e8242ad39d251d504d08c28f807db8473e4e5b9c0fba3869147dfa27c1e421ab1743eda0df158a0cf97e4509927c5f86b24de8809004342b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
90cd954b4a06d805782888b035d82206

SHA1
c694b37640584f043aa93c52c3fc84eddac04619

SHA256
76192d5893af714fc1b3f1117fc1290ffd698a4f32c9cb89b97967d907f15662

SHA512
470f37d406460818a05400d889eebee687c038ac55792b435a5c074536683d13706bba8e22b25d64754deb40d72131c6e2c15914c98309476ea9807bfb240088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
695f5600911eedb878eff68adcdf614f

SHA1
0417e825af176ab7e12fb723493b03707f499ec4

SHA256
b4cb73ef978b0b0038e81d505a510c62783cefe0298fd282240ff2b18b57ac66

SHA512
f822240bc40d8d1dadc613e7e82cb85a0d936f67f40fcfa0cebe9381f6e9f1a5bb9b3f50869853c52c6056ddabfe9c2b998a08d84aa39f4f6437d2b4b21d76ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
107ec563ea10b210e384c0dd0ee2bd11

SHA1
e12ccd22145a008d8e0d42ab7f7457b60c518433

SHA256
07900fab52eb6f2940ebdb31fbd756843fe57e301b1b3ea521e0d569a052d22c

SHA512
f42c7289fe3125699eb6027c75350c9b1b479ab1b26f8ea47b4201ecfdff39df3d2cf7c6b29f310fd18347576f45af492399e9e16a2fbf6b70d0990772b4392b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9175f4907243c7b979e4a6d0ff0a8726

SHA1
41c827f232cda09f6feac4e38536ce5364276d48

SHA256
70944c774e4cbf5a90f7c901551922b9556693d0029a84423bbcfdb7cfa3fc3f

SHA512
9172dd1f4e657512c90a144aa6da6ea4c576c09036cef059777cfa64541637cdbf881e3bfafaffedd87c70fecefcaa2a1ae19d37ba5a4383c507ff5a4d37027d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0986af26af06ba5f3167d7c7939cfbf1

SHA1
ee153058470b2c880e0c17e7e79a1f3f72f09f2e

SHA256
ebced93f3e9d8db009520aaa2751cd0a4613c4f2b6cbbcb81010bdfd7e36244d

SHA512
346ad708472a8aac92cdf0529cc8be8436dfd2821522f138ee2adc9ea59ef7e4aec6ec9f7386b6d26b74c3352287d45acc22cdb038de9b752d7070f55fcb0557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
659bfa9021ae877e5694f09883dd08ac

SHA1
800fff74c6bc8ae262096f4aca4453ffdd64fdc2

SHA256
e26224de6d8cae670cb52872132407f9334d546f1ed2aa2fa689171ef1cb0d19

SHA512
fbe7febd575f3f64fd3e9946515d3d9e9119e5e81aec1a0d2739ce9f37f8bd185e927d13cac6d359639eea347c96c6ac2a82d1e22fa246783d23501e28883371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
32cb44833590130cb4b8e7414eb7737e

SHA1
f6e06cb13537cf1c8fc24219524bd6dd6008b106

SHA256
c1ba71a1e175d750cba45dc5ebb82b34887cca68ebc1e26d2a13d3e502d1ff30

SHA512
e72ec5484894603b279b22e363d2d0e4e727933c288f51b37e91a962c9f69e010f3e3b80ddab51453851315459c4df3eb95dee348fa6337bcd72ca412e74b12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
229a93531f058ef9f55e48a0b6e36203

SHA1
63420899f394d05fc27dfc4619befdde89edb288

SHA256
f4b2bfaa6c5b5512facaf6a6d79cb016f193926744b9c959a05d88067ab422b5

SHA512
c2d7d1992cb37403511b8084f4ef99dc792f9d7f8819cd99ce9c031e2ec208d0929b1bca63693c7c66aae4fafca8408c978eee3034cce43df3a872da75172e99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
69a9ca779d0365b326fe64db904936db

SHA1
4c116a576d40d16751459a00af7313f9d9123aed

SHA256
de9efaa96558a0c418f7613087ba926d06e832c6a69d7baf087bb0dcfe5c3802

SHA512
280928eac5e9a5eadcac4d4c4cf9e528c17bdaf62a1e8424d1e783fae9beefcd1af3eb633a829c92735a63c047864d6a0771ce52bbc48109e1b511f6d905588e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
e71ca6d125eab773827c64a89c516900

SHA1
38fa528716a16ba4908d1ac06d3ae5230fb55168

SHA256
d0777ae22d54cad60ef7f835376ca7103298bfd524b8018e01ae70f52264c2e8

SHA512
69ae04f79ec0ea1e32102dd0a6e42cab38fcbd9a76ed7e0504e07dae3ebda30383799c4545aec5ba79b291e099e94914c957a1267778af2d37dec51b0cebbce7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
80776deb8ca14803c3f3e04440fbc306

SHA1
7c139036ceba935abbbefedb084c4f35fa4568b5

SHA256
bbabc83816bf4c9450a729101af58f1ea85c6e4d5e0ddcc10eefd47c2a0c8032

SHA512
5fc758ef6b9c71d216437fad1b74e2b913af942537b45a176eb9fa2380b32e99d0a586b044a3aca775edea8307c055758e06a861eec7de6ae7746b95a51e2b75

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c355821601a59d727277a79e3b9c2865

SHA1
8c06b0542ea1e3af678025ce9c696367c09dd983

SHA256
6cd4ea89787a1619f2074e5caf79eb43e064ce9d3a4d1a5a576098305ea3787c

SHA512
0c3d947bfbb0f28f6dad38f9af6e0e0f6496a8b0cda100587c512800e692f88ee8ff39313f75a22b9dc4ef8e5841d07dd2f041d0628b7ea684b5db93d48b6ab1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
39f81f139398183f6107729fe51c39ac

SHA1
da5434a776903ab7bbc6aa7e5f6224d919abe5e3

SHA256
84b65e053d2cc9dfc7ceec18d5387f6cd6f3ebd2b658766480e7bcdabf126984

SHA512
4e570f45fc2c6878750d6b0b55b74288a5680039eb8c1178e59b55a2f514bc4d346c2af31d9d9dc3e3364832840ee841496639eb41b300824b2b5e4cf704cebb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
67fac60d9fbb1a4dc0c8c2313d05b366

SHA1
cc7ff4b786b407e18182cc4418920a88608a7ccf

SHA256
7ae0983cf7738f8b2e7fc0c0f06ca048ecee39eb93c92f80e6285052a6b15368

SHA512
4a539996d163958163db349ce85b2d1d1f4bef485a7ba5ca29cdc4d8d460cd1326c249e1634f54c01a869d3930f4b674ab553798d7840b7007e227ad755718c6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec9318c2ef2e26182ca2111abd511606

SHA1
581a4b04e722f6318e2fb96bc556354be01a365a

SHA256
f815f95b0664410e279997190d1d3b64dbd264e74ba9638754398fe57b1d7570

SHA512
810a2a0eb42257f8e9c59310a5f9b94b134f7f16f009a1b17b11bd900cfdbe590782542e3dbdb70577c0c02946245c7affd7a9588f55b6cdb7b473fe01e50edc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
242407c9c87604f862f9cebff164b856

SHA1
2385c2815439dd52ce24aa2fdafc4b78e6816b3b

SHA256
fedc7c7015ee2c23950da0c6fc570c5da8447755cfbe996543573907770cda87

SHA512
3b8a95e1d59d31ddcb7a38b9fdbed80eb68816cbf5598d0859f359bf3955d721b6fb5104102878e6fae916ed01d217deddda658825dad9f6fab54d7b6bc2f407

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6af52d374929b73501852e03ef2e03a7

SHA1
a5f3808b89333f6c656ca483f009312ac8a83d21

SHA256
4393abadcf13dd3e83c164f980075fdcb7e3bd4bbe7eda30167afb7b25925eb8

SHA512
56bc6a30c7aec3fa23ad153bb386ffc5a0519ed5a5cfb9449421c28927c37621d944e9cd00732bf4f525e5468617905526b4a1fba26b99d2244078ec6b8a6e56

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
321a3c5fcf0be69b91ae3f752c209e68

SHA1
021f1eba6fa322a9f0a07b2ded45adf9b65754a2

SHA256
74cbbbc1b57b8faa9a0bfc866b7daec08e50e3c6455cbfce997539fb95407646

SHA512
42d74e84e91e063113379313962ec26bd46be08dc83e202548b73de3cb55ea0783a1d0472b1b873320e15305035530c0fa611443807fc2343b835e1ea604d8d7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
de97cd652925201e9c7d08455267651e

SHA1
c5f973d67fd882cf22a79036a8ae89df01fb3691

SHA256
8e0bf1e9428ba4e81b437e72aed51ab855f35503633b9ea80e30fa663b03bf01

SHA512
64c3ad0438cdb3720665c44ff3601bd9cc7c9413ead7e9377c57a955ea884a8a5b9b6082e0db41ada065cec86c74ae369fb74beb546dcf04e846a08327d86445

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d066578d81e36290fee295a5da6f60c9

SHA1
4e2dad1e95f18a35cde91bbf7137f3c57c0f6ac2

SHA256
05e6b98431efc751c03eff089f07d148d0c3cbf7f1e226fc7c29e1bc47ae1f89

SHA512
940fd4ec3ed08ecac1c66e4f708b318eac02a43c80b15567798ddfeebf75e8b62460fd036dfcef7caa4991782313ef133dd4e85f6d171f5a35fcd20d1a3aacc8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6e814307e005b661712b9f86f83fef48

SHA1
30d9665dda0795f60b845bb148711730c331602b

SHA256
957b7a7b37ff15d4e99554199603084e060b76e5262e08bba98b5cb67bed3620

SHA512
6d45d5d06a892586b11db94d1c0be94a7c6d59aa1c55383a77a406077966e878f80799d9cbfebb4f4db4134bcd5cf3c26570815f7db558bce5f1e428ffc38014

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a35bb18681fecc18dceb105a574ca338

SHA1
d9bbaddb2d12c38cceb569029b57d0ea41ee78e3

SHA256
6651125246ea8a0b588b9706b35d9e61f5fe61381631dbe7d2242b5e2de98fbb

SHA512
da5379373abc8322bcacc17a76bde20d120318bc00374df9c548e799efa204f866b2201d88d8ee9ab8b86c8221f596450975292f3193493d426fff40726a171a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bdb0311e8adc456f249c7b90b29c8bcb

SHA1
89733071f51cc4e0f3b11bf8d33e377b0184baba

SHA256
7957d6377ccf545936da0d33cd3f4932a0ea15bcd33606b34ca68da91a1a738c

SHA512
4cb47f6081c338674d56d60efd031fced57e30265708893bb412679488b0a4c00303cbad1be43f95bd0802e55f6d4cd4b024144716685c85a988d075fc13bf11

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
658b4dca7b25832da5b7ca557034642b

SHA1
7f2fabbe0ab082f0ea0a0b85b5e8a07dd47998e2

SHA256
d3a4dee9ded0183b8b53bcb4f3d0602e1ee04396229e583ebf43bca7e2aa4e45

SHA512
f6fd4f1c2097ec138dfda174c7157ca235c72dba79ffbbb279e16b75b86fa665de7433ec94323fd5f4911f006f282217c7d29eb57630000864039659021ef43b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
26ffc720aa3813e583fee3af36a058cf

SHA1
85996e06b22fcce05221bdf25d22ffe0d0c6baff

SHA256
6c30dd915a0c1c560cb0b1d1c1034277277a157c8715b74e336981f779c077a7

SHA512
af4eae07691caf948a6f253f1af1b2c8dc5baa5a13f69c4ce7d2934e1ed209c9cc7d7442cf177ac2dcb58326440aaa6b8d66b4c4a55ff3bdc580f9b89e6a8be2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e24b6abd11c972424acdc8087f7cc82b

SHA1
11c3c1121a5855490781297f915d31955d2f161e

SHA256
7b1418652da38b02c72a7fea40092cfda52e4ca78d649b32167ee0d42af52362

SHA512
fca86ea2dfbd428ffc1f375c2cfa6d53b5790cf8249cd30fbf9f666ff8790b900d0ff44b493101664e3a2281d6b8b094fd2cc012dadc01a8e1b9edb203a6f7e7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6a9f5873ad06c890543d636f4701fb38

SHA1
d44a04dc986d2e5da97e6bcc0ab314c3c26df7b2

SHA256
548813648e5a88ec08d0de159910c5e6ee6d8f4605a334cb94ebe8b14ad5b11d

SHA512
62f1d8d2bda2497714cac8d8d6d264f484f95731023b37d76eb2fd7751d79f5872ee33069042e07754f28b205cebe7ce940d8ae8b3eee9d64f2f06e1098770c3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d3a147d1d8eb5f880d8a2544823c6866

SHA1
365f3f3880f8b85cd9b160b53ca58a239c565300

SHA256
7e2f307fa7a6444ea0e308e6ed2627804da998598bc545ad35d2d25d59a28d77

SHA512
4613e73a8864c7777b300cd85553f212c11d154f78a7435a1508dedc9396cb15419446c2353ee842099d8fa4369c734defef252ca8efbcf4a807680bc022b9bb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0edfdaf3041d7dfe6ec7c0f111572ce7

SHA1
3a1374f1e968791db4e33fbab3fb9f67cc1a57ce

SHA256
61d3da6fde8a7b7a55c1c921ceb20f1f828b3c8771eeb0da52436356e100ba2c

SHA512
e75b9394bb65e77b5faa761aac743c9c6ebe23c7f69667108c229955c324df05bfe8a2532cd6b48435c023053d5e8ab67c430645900fcd7fe2d38d1b940ec048

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
0ed5e2f8c226afb8fa1a43fc128bacc2

SHA1
75ca6221e92283b91450e47c45725a1ab50876b5

SHA256
1b8bb3150f5cf990e5224dd521ef9976bb747b60c5c0616c2c22cecfc2065b3a

SHA512
c88e7004b153528b462631621cbb829571c604c4e3146dc780e5a943d8865f44ec6dd4606c69c59ebee60600d1d698469a3fde14b61105da6fc6e6df2067c294

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url
Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url
Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini
Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini
Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab1FD5.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1FE8.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar2174.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Temp\www14E8.tmp
Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www14E9.tmp
Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Users\Admin\AppData\Local\Temp\6bec38d0302aee4aee65758b4803191c_JaffaCakes118Srv.exe
Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/1684-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1684-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-10-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2424-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-35-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2424-5-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2664-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2768-40-0x00000000021D0000-0x00000000021F7000-memory.dmp

Filesize
156KB

Download
memory/2768-1153-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2792-42-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2792-1163-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download