ramnit | c65046f87d5ceebfe71df19347ce5e768354b4a160d9b9f5b4a753c5dab06ff2

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
Size

8.2MB
MD5

72f633f58d227097bfdecfe376d43a33
SHA1

326ddce87207893711a87ba68b53a61da368947c
SHA256

c65046f87d5ceebfe71df19347ce5e768354b4a160d9b9f5b4a753c5dab06ff2
SHA512

ed8c23be8ca9126b7870c0cdb6c0d8cb20213b1d5b8781db6f6574825e5fcb982c6a11890f0afd4165cf8b07b824bb401f3b7b916a85548c8f74b2dbf4714556
SSDEEP

196608:uB0vB4AxB1OsjEO99SacEYaokwEfV5vrI4FgBDpbY:uBG4oSagb/2jIkgTbY

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

Processes:

72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exe

pid	process
2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2900	DesktopLayer.exe
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2452	DesktopLayer.exe

Loads dropped DLL 21 IoCs

Processes:

72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exe

pid	process
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2900	DesktopLayer.exe
2900	DesktopLayer.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2452	DesktopLayer.exe
2452	DesktopLayer.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	upx
behavioral1/memory/2600-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2600-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2900-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nsd2879.tmp\nsRandom.dll	upx
behavioral1/memory/2900-87-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2296-67-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2952.tmp	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2A5B.tmp	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px28B6.tmp	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61616ED1-1ACA-11EF-AB84-52AF0AAB4D51} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61369611-1ACA-11EF-AB84-52AF0AAB4D51} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422826066"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{614E63D1-1ACA-11EF-AB84-52AF0AAB4D51} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2900	DesktopLayer.exe
2900	DesktopLayer.exe
2900	DesktopLayer.exe
2900	DesktopLayer.exe
2452	DesktopLayer.exe
2452	DesktopLayer.exe
2452	DesktopLayer.exe
2452	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

2788 iexplore.exe
2976 iexplore.exe
1968 iexplore.exe

pid	process
2788	iexplore.exe
2976	iexplore.exe
1968	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
2788	iexplore.exe
2788	iexplore.exe
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2976	iexplore.exe
2976	iexplore.exe
1968	iexplore.exe
1968	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exeiexplore.exe72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exeDesktopLayer.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2600	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2600 wrote to memory of 2900	2600	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2296	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2296 wrote to memory of 2788	2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	iexplore.exe
PID 2296 wrote to memory of 2788	2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	iexplore.exe
PID 2296 wrote to memory of 2788	2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	iexplore.exe
PID 2296 wrote to memory of 2788	2296	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	iexplore.exe
PID 2900 wrote to memory of 2976	2900	DesktopLayer.exe	iexplore.exe
PID 2900 wrote to memory of 2976	2900	DesktopLayer.exe	iexplore.exe
PID 2900 wrote to memory of 2976	2900	DesktopLayer.exe	iexplore.exe
PID 2900 wrote to memory of 2976	2900	DesktopLayer.exe	iexplore.exe
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2508	2788	iexplore.exe	IEXPLORE.EXE
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2372 wrote to memory of 2748	2372	72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2748 wrote to memory of 2452	2748	72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2452 wrote to memory of 1968	2452	DesktopLayer.exe	iexplore.exe
PID 2452 wrote to memory of 1968	2452	DesktopLayer.exe	iexplore.exe
PID 2452 wrote to memory of 1968	2452	DesktopLayer.exe	iexplore.exe
PID 2452 wrote to memory of 1968	2452	DesktopLayer.exe	iexplore.exe
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1780	2976	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 3064	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 3064	1968	iexplore.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 3064	1968	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2600

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ba99418af6dc78fdb521f80215787a98

SHA1
b13c677206466d0984e7822b04d7842dadba11f2

SHA256
4499ade4046c4c5a3cebadd3a0ecba9771f864ac0e3f82650db88247a7a42581

SHA512
3aae957f441b063a8d61a44bd35cb175bf198eb4f708a324a5980dd3f765601cecd966d400acc5edfa32ed7cecaefaccc77707fc78be792cf9b4bada51b216b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f20246984bd0208080c5fd9ca7e7fe36

SHA1
7fb4af5bead744745f7825b64f956ba93efcfd57

SHA256
a6dbc1bdd218d2d353ee70558189db5eca3c772a6c8742ab60bca79ad476b11f

SHA512
d1f13d0b2a1962ec2e33906b40e7c657e5d31c5a24452449eaa0ba79170932b41208ed1d67e7423f4638b199ccab58e77f78d834021ecf326c1dc8062d685f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4240a74c145f063b063cea0720ec532b

SHA1
e207a3f62dde8f65a48a06c5365cf9e91a4e22e8

SHA256
253540bf4040a17b750dda3e57f4f67aa2060a2859cc8578b68caf6f0ab41452

SHA512
925aa758dd70fa4c72b2e38fdc21178d7ede077fe473033ea82017d965e887cc911305205adc2672f5fcc0e5cee483af32bf37d59209dbc6e7b75c68399702f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
407463844c350f359d9e0161548db52d

SHA1
fe46c996e557b1ed80f597c46fc89ec8822be353

SHA256
1e9a3be71cf6ebc3f9b22eafd20c08132a54b9215e5a1ab336cf28b456895234

SHA512
c3d0178467720609f02a4089917afbc5faadefaf168d35f7b145a0803f1016222fc0f2612367eadec42c3f6ffd7f38f9833691400c11ac90beb515d867482220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
35153147f757d390cef837c1c383f5b6

SHA1
9a4c10864092765fd59981601f33fe1cbbf567f9

SHA256
7c7030b07b5de98f9f2b14be369f2c59d02aa4b058e44d3f0fbe794e3698f76b

SHA512
28e7be2357fc506ca9e104cdd7ebaea9a4084d1904cc636ab25c66bb166ff8e68b5b5faadb85ed2771202e43aabbbba2d9dd67f13d9f03714792a69821c967ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
55198618849934ea410ef84fdd42255f

SHA1
baffcc7d4e3af698ff12563469e65f137bcd575a

SHA256
9e771da8ef57ef4eb87e2f3d4d4844bbf517dfd162861ddc12f665298d094f62

SHA512
a0bc345ee1868bc6c5377999cc2821853c7b7a82210a6c9a2bfc3918baf928472892d428d375edf39ef9dce83aa5e116e8e70b2f31d85eef5187e7700efa9ee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b8d0294f84e29568245420c6f9e5d1fb

SHA1
c4e2bc1c0b8d9e51f2e925ae56bbb776a5f4d7aa

SHA256
6462539bd8e90308977558bf3685dee924e47e6a95999249c325ce1df5cfeaa1

SHA512
36bf49deeb60d44f1cd2d8f502530fdc9b1212dc79ff4cafbd003449a009a5e2ee8823f0aacdfbb7e30fa83504fc65138d49a41c134c08995bed54de2930278c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2c9f9aee64e8ef738d8ee95b40f45d58

SHA1
2188691f97eee05392129037dc1e953391f0c84e

SHA256
157b5e269a150b5c7dc0c0228f1bc0e1fec1186d90363ecfdbf00daedf36ac0d

SHA512
a6918feace80c46455863d93d5922c6df3f64acc35a549017c8129cbbf729902476672460db948787eaae9fd94d125f495ad4f14ff85485856a425bda7471b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e624eac1f51aa97057262aea75df14c0

SHA1
caf7e3e87a68578ebd1a373c06dc3f742451114d

SHA256
99bd915b1125c74b077b04297068faa81073a8edbb40ebce8e773253b7e90d69

SHA512
2de407a1f21c3f87744b8ecd0a2f57cf6c96d3e2c47fc6ad6b9187826e363b16f71e596b4208b15ec05e135cb6accab2bfd89e229f22c4b2c197a76321cfab4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7a6644bcadc4b9d8ba7526181cd99052

SHA1
938effd581854d1d1598c13d9ee01762d9a1c53f

SHA256
bacdcb3f08603c3cb66d1aee2e9fa975e6d13f280b6ff35e45da55c14c4b6264

SHA512
434615cf3afed0653cf1e2c732d05a51ff0e81d05739178227db34a86bbb4926d1039647ae789306b24b1935d1ee165e00521ceb9e7b50c2e1757fd56a87499c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b925d064924c77d55686791255861384

SHA1
f32245a478e71e484e2d58a391df2ef558492b15

SHA256
725b813c75c0c306773d29f4f75953e81d0d39091ce41b7af15d6c95d3033193

SHA512
fce41ad1381072cbf7992e6368b1c830c8abb8f183a981ec77c78108bca1f3ad60c92f7e9fe7ea70d0f00ab58d40fbefdf51ec42586f053ad4476e516585738a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5705eb670d0e62bb72f2c98875bb2d1b

SHA1
b5fdf3ea8a9b61fd2b034079338955ff57156783

SHA256
1aa55569a5db7168e489ed4b0c416c6a4c963304a4f925f7cba438c0fc6b82fe

SHA512
c042d12a00be12a8ea13cf1fd0a6da6df33c335da5bc23af8fb667a4cb46055f95c5bd8950f24f83d00b860e8db08db5ee0db2fac168786c1f4393afb514de15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
19ac7d241a0388c1d3d07ced062efa71

SHA1
fd803c90c84bca16847a0618d754857c860834fe

SHA256
2cc6d835edcbece3ef610a8a67bfa00c3b645b4e2ea17aa31017e5911989960a

SHA512
18c3a03da24a3d255f559d74fc8d3320a9850eca9c837153514258d7a9229209705c71e46f34592a54fdbdc34debf1585152f8a633afe88c927e4acc9030a213

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1788c1a138cc318a4f9c2baba68c8b24

SHA1
c97edfdbb7f067ff34798b4f0c0f67843189e2c3

SHA256
806ef2450a8920df9443b578f1b0344eac4ec9f7691a8fe348fd4b8337d77345

SHA512
d9eaac1a15456cbad01aa12ce9226c0705215c93b8ed5dbb077114b0e730eb77a34ec95172fcb92f0213f07390f0a484bad12e78dbe88e13dbf93d9de0fd749f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d639403891dc53b2bc7b88b5a153144e

SHA1
6f616a099a1b60f47d7da941a15ff0f3e4eacf6d

SHA256
9ebc64101aa9cc28c21e3ae3629eb234d513cb39354f7414cd1c552a918f04e4

SHA512
d8736e912888853410e4c16ecbdb5db483c1de506e7972d610269d00520aea07390a392da96f033631dd5a9785ffc116fcfbe4ca8b91ad083b5b3d1f788c910c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7be5d3b2cff521b0d3b95fcdf6abe549

SHA1
3ec9a10bcd0c6142a009a81c743a81d16faa2fe9

SHA256
852911da40dcb9693dd56fddf15aaf1358dc9dbb47571bdc47cb133b7982daa3

SHA512
6ae98769fec5a44103eabd0905ae957ef7224686f08fbd23e86c342137a16baf9c82cf247d7cc033e4afc7de00c8be04c3255b2c362d95c6a9df204ff3c8e0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6b5e896a89ae80b10cac2bce0d21208e

SHA1
be08704fcb83531097ebd3958640084296d0b3b7

SHA256
2e2508ee32d36029c7799ca74fba00e405694843a37fb45dec4ecb478dac681b

SHA512
7eaca357d3adec4bdc7e73c4c0c043b89d323e2a5b3adc425bf23f290604eebb0fc1aee0cdbe8412c6479805b3e7b97680fdb96005667f3198a616d0632ef73a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6becb62c51ae142ea4aa77169a7c4115

SHA1
f271c3226219ef5cc4531bc8a869edf79147f0d2

SHA256
2a4197d6c8b9829f0392b0ca002a84a765d84b659a4aebc20c2cb190340f7b7a

SHA512
0b6ab051469b2a8e233e3f30e9e8b794d45d1d13860e5aca21d0377b39b3717f1127f5a98157c950a87f20a858859f4ca1accd42e62949dba03a9383a6d07c03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cda5bc94d9b57cdc00a7d58bfe08c06b

SHA1
e23aae191cf8da62f93f4f37df5d62ebb5bf07d0

SHA256
b3a8be67e6ec722f6f1b58444ef3a7bbc5c7c67bbc6b5aa11e1a44df33ca4dfe

SHA512
e0e3593e4a620279baad37603c0a70ead5801c83d6a1e1b3ee54567fa1a7d5f9fe4fa7e3c5586979cb8b9b1586a60dbc07209942ec3dab651993bc1417699d51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
87577074cf80a2f9a7a8b01b96f7a417

SHA1
d94ec36a1d0ec616e4c4fe01f46ba35fcda83243

SHA256
ab6beb60de1d16174a4a40d46f5064de09538a3c694d616a04443514e12dc7f0

SHA512
3c927ac7195d6fa8038d8aff85c1e10c4e347cffd525912f7e428e4bafc1f0e0a7ec90db36ec9cbc94f490de3ba2adb9ccc9a4428be1aff82a89ec133d3d6f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1facc9453a6bac39d10f8515052649a9

SHA1
c5aa26f7cce8d864b2e0618385fffa79515aee0d

SHA256
e8526a14f6ae2ee79b15201ed43ac6903e7205102f27540af81ace526eb64213

SHA512
35d46442b576fe15fdfd3c8e9142826c9e15338615b6d20100662317fa7040eaf841a81615e2a92bf2b9a616b6c02055ad9858b56f3af0029a33055804b5bbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61369611-1ACA-11EF-AB84-52AF0AAB4D51}.dat
Filesize
5KB

MD5
d46d1312c0500c5e2a66f751e5e3e17b

SHA1
bbefeecc658ead00859892cea5322de0cff63869

SHA256
4571c8c9c86d796fc5ec5190d273388518adfb11e5060c4842239c196e0f9bbf

SHA512
b9bdbddf9a32862680595acdd5a17455e35d0e9203b446b6f5feb4fb528119831172edeea4215adfc0b5298084b68da7b7bc95876573807425ff7cbe2fe7924e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{614E63D1-1ACA-11EF-AB84-52AF0AAB4D51}.dat
Filesize
5KB

MD5
f67d49595d239baddaace528c670390a

SHA1
815f32aa4a9adc2a7a0bc0815e02dd603061dcd9

SHA256
d947df8236047c63cb7440a3d3d02815760a8c819522e00bf99985180e94dbff

SHA512
7ca19ea252674ea4ce885b941d1e1b72729ce5ce25da49ebb257e2cbe9de3c14a4dca80af3d26ebec1312346664d77712d1ee1c9fcacb6987647dc13e218269c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1950061\GMSkin_Image_2012_v1.zip
Filesize
388KB

MD5
a1bc3b1cfbc2bca222149f1c8e035fa9

SHA1
3b83e21d38de489bd1aa4e875a3c98f58095ac8c

SHA256
f3d7906579bafe366da8f1779a34a103412fb1122cc38951ab2173bd3d6289fd

SHA512
d8bae9cf73ef484b10b84c386b7b311be5f5a07b2c38808d64fffa695fda7bff35b24797c179030a5a5ad30883ee4212236c40fb1020dbc0f6350f86ab7b4572

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4000.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4060.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\1950061\MyNsisSkin.dll
Filesize
384KB

MD5
a6039ed51a4c143794345b29f5f09c64

SHA1
ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

SHA256
95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

SHA512
0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

Download Submit
\Users\Admin\AppData\Local\Temp\72f633f58d227097bfdecfe376d43a33_JaffaCakes118Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2879.tmp\ButtonEvent.dll
Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2879.tmp\MyNsisExtend.dll
Filesize
596KB

MD5
37e4e1ab9aee0596c2fa5888357a63b0

SHA1
a5dba8c0a1bd936dca2b6a81f2dc9a3005f1a2b6

SHA256
ff4b245fea98cedd881ca102468623a449a0b40df0c557dd8a6ea32e788d56fe

SHA512
5cbab2872683079c6cc09423a2baf7107b5ac5731f336cd237fa93a4a4ee53a127963dc0ec0dbc6168b9b3d2c3a881c7663ce4ecd84d964628dd566395d49bb3

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2879.tmp\System.dll
Filesize
67KB

MD5
bd05feb8825b15dcdd9100d478f04e17

SHA1
a67d82be96a439ce1c5400740da5c528f7f550e0

SHA256
4972cca9555b7e5dcb6feef63605305193835ea63f343df78902bbcd432ba496

SHA512
67f1894c79bbcef4c7fedd91e33ec48617d5d34c2d9ebcd700c935b7fe1b08971d4c68a71d5281abac97e62d6b8c8f318cc6ff15ea210ddcf21ff04a9e5a7f95

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2879.tmp\nsDialogs.dll
Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2879.tmp\nsRandom.dll
Filesize
77KB

MD5
d86b2899f423931131b696ff659aa7ed

SHA1
007ca98f5d7921fe26fb9b8bd8a822dd5ae09ed6

SHA256
8935cba8e9b276daa357a809e0eca3bebf3fdc6d0d3466ab37fb2cbbfacd3a94

SHA512
9a4437ab484e4e22597c642d21b0107a063a208a582df3a5bf276466ad8d0ba9aeebac6de8dcf1372939984bb187d58e94c799918cfbe80e85c958bf0a537fc7

Download Submit
memory/2296-58-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2296-61-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2296-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2296-56-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2372-37-0x00000000029E0000-0x0000000002A42000-memory.dmp

Filesize
392KB

Download
memory/2372-16-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2372-45-0x0000000000830000-0x000000000085E000-memory.dmp

Filesize
184KB

Download
memory/2372-17-0x0000000000830000-0x000000000085E000-memory.dmp

Filesize
184KB

Download
memory/2372-96-0x0000000002B50000-0x0000000002BEA000-memory.dmp

Filesize
616KB

Download
memory/2372-140-0x0000000000830000-0x0000000000851000-memory.dmp

Filesize
132KB

Download
memory/2372-28-0x0000000000830000-0x0000000000851000-memory.dmp

Filesize
132KB

Download
memory/2372-122-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2372-123-0x0000000000830000-0x000000000085E000-memory.dmp

Filesize
184KB

Download
memory/2372-569-0x00000000029E0000-0x0000000002A42000-memory.dmp

Filesize
392KB

Download
memory/2372-570-0x0000000000830000-0x000000000085E000-memory.dmp

Filesize
184KB

Download
memory/2372-571-0x0000000002B50000-0x0000000002BEA000-memory.dmp

Filesize
616KB

Download
memory/2372-572-0x0000000000830000-0x000000000085E000-memory.dmp

Filesize
184KB

Download
memory/2452-124-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/2600-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2600-19-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2600-20-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2600-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2900-83-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2900-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2900-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2900-85-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/2900-84-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download