Malware Analysis Report

2025-01-19 07:17

Sample ID 240531-ftg25aha79
Target 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118
SHA256 81d3c02b7213337dfb139caeaa1a297ecb8a9e752fc2fc92b3210b63dba4d2cc
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81d3c02b7213337dfb139caeaa1a297ecb8a9e752fc2fc92b3210b63dba4d2cc

Threat Level: Known bad

The file 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 05:09

Reported

2024-05-31 05:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px12B6.tmp C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423294051" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FDD76DB1-1F0B-11EF-9371-CAFA5A0A62FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 2100 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 2100 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 2100 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 1460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1460 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2556 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2556 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2556 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2556 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2368 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2100-5-0x0000000000250000-0x000000000027E000-memory.dmp

memory/2100-3-0x0000000000400000-0x0000000000523000-memory.dmp

memory/1460-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2100-14-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-13-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-11-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2556-68-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2100-48-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2556-65-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2100-63-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-60-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-58-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-56-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-54-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-52-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-71-0x0000000000400000-0x0000000000523000-memory.dmp

memory/2100-50-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-46-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-44-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-42-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-40-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-38-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-36-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2556-35-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2100-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2556-66-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2100-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-25-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-19-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-10-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-7-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-72-0x0000000000400000-0x0000000000523000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab29C1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2AC2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e0511b7d2c0fa38b12c6b8c556b8c11
SHA1 f0032aeaf6f568c306a6e9a2b56754ff2ef8f637
SHA256 bfd092d1b9b5c9bfa098254192c5c12d8f8fb1c5298e92cc6cf2bd6b0627bd67
SHA512 355fb6cf14265837ead17dc33198396a09b993cc57a9e0af3a619178b2a4eaed9ec82924b6b05ab873fb2b313096839c53c93d738bb811bc6ceff0c2bf790262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2491138e3115f741c1441f5f3b398956
SHA1 0885c413fd1f588d60eaee3ff757937035e5548e
SHA256 5b595f5dc90808a9cb73428a73e5effd61c9488892453169ced6d28adbb44fd9
SHA512 d5f84f28a9e469b1882cbea114caa83cc292b29fb358055ea068b21f7f924f12d9b56ac783fb092ee371d239c46f8e8fb716258f4d65654e5903b0fba651b915

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 201ce1a0ded2fc07ec09dc93902d6b13
SHA1 e048cd156ec23c0ed39c9bee3819536d77874079
SHA256 652e24cd0b01b8cec7f2bb1b274f66a1a575d282d20953657ad0f68bfe0e8792
SHA512 7ba071ca5af004e788263cda2f00b228f0278263721621468a88f5287444c69dee34c639127707e6e4d4b5307f5a22089f54176f187b0c1753f92674c8c3be6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb1dc27b0799e30f60e5021e629075ae
SHA1 f4fbdc3e46eb415c857508adefd5e1c8bd39b9ea
SHA256 2190fd7c5e89c709e4a2c17de35a3d26cfe958fe3084864ddb55c8938971b547
SHA512 3782fe01163b00aad6d397bcb724ce6f63764ee8ec4e1cdf54be431f4c1532edd601092fc1389b2ce799f8c9a87a1c8f1908288a2237d007c10e05cc8b7ed495

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f72e9a359ceb66ed8b1cfed979ab2037
SHA1 7c56709a802c5f7979cad2da75315c289e0b3215
SHA256 53b3fc2df807542dd1fd6b3d558624783ec03fdc3e5a1fd06f448c854d1a9f6c
SHA512 01d25c4ecbd3eadd2940b1c6b6981be5641504b9883063f1462252c0bce8ac293769a3ee8f4c2baba9682521120744b9949304ac8429b64756e6ab0255900173

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35dc7bda689914d6aae6fbec92fde2a3
SHA1 3e2a28275db0db4b222c88d66126915169381f34
SHA256 144df838cbc99b05c5b64185904947865660d133bc101a21b9081bc33a871515
SHA512 81b33a6f9716adb60f4485c8a45926d72913b44b5ece1bb68d83445717614e011c8c7e5db3b4e069ccb11c2146ed4b764982991fb40d4bf94177cb6d248f44e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a3f929dc3db422d53ce98d39d983dbe
SHA1 f2a945b1492651032f980c98edc3a425ce50e3a4
SHA256 b2ebbe8830f2a7f6c946982d23f8dfd19a04ba8f501695d2eded0627a605ad3c
SHA512 ad35a099916507c80a5bde55bdc858883076c53f4cecb08f8fa569c08f65a91e91be2a8084162334013ae1a8f148048a17691095e09efa54a8fb5b19d91551e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3d09d26150d7a3a30e3d8689ea30380
SHA1 be708e11d9a84bbc51cca99ecb4780d30c7f875b
SHA256 0cae09561445da88d75c397f62166dba48b5b297a26ae0f6062adbf8813df6c9
SHA512 a656b1e98ff37d14817aa58268a24d6a4efb652e10ec191dcdaa7e6ee8251cf85bcb3069cde3c8e93d2bb5c7f4fbc16cf1e1bb48012e53af08433676f997a685

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52bacbdac33d9e7addf07b65d5ae2ecf
SHA1 defc46d7dc5ff77d5a804feb7e98e95163c351d9
SHA256 a0d6a21dd95819d0c355fb3f519d48a7dee140d73b70c93374db3b3266f9cdab
SHA512 4eeace078cc318f6ac5e2c84305d2e79aab008cdb96c07dbf8b36c6e87334197859a70f1753b670b39862ba908ae5eed2e6017c6387fe4ab34f068b9c8f4b37a

memory/2100-547-0x0000000000250000-0x000000000027E000-memory.dmp

memory/2100-548-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2100-549-0x0000000000400000-0x0000000000523000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fb13776af1d92bdc82f19bf0730e96c
SHA1 def2955aeedb5d57f49fb1ab6d971fe26fbaba62
SHA256 9ca1cb069c2762b97160e5d73fc1b3e29a2572d2fd17785bd7454956b6780d80
SHA512 595c7757699a70e1acad624b6512dea1549bc6befd3a276a0aafa3b3dd9f37735cafe5d1e97158199e5aa321a862ac86ed2fe3f89976583a7079ee6e8e34804b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ab2a4b816d652b4feb1772e0c120159
SHA1 1de8e8e5e9871b0fcdf68aab937dd83f3f4a391d
SHA256 06fb75aaec446b506ebdb679394caaf5b9cea839e8ef7aefd04c14af6ee705cd
SHA512 8889201217c7d2c432637623f296570f9cfb36c209af85daae2afc6a4b1a61df82b97f172e6cdf6ce2729aa72a64c7079f071ec6d6c9be42bc88260e1e1fb249

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31d640c0ef07f0cb04562a1764e5fa51
SHA1 254ca86b2186c3b3315708300b146e9e213a2008
SHA256 80972fbc848b68066a6ee95f2f6d21afc29d701d5e24592095f0dfa07a92a288
SHA512 91c5902608ae7097bbeda6fb2f1885a4ef04d0d544d82e0a122b20c3270a976825434e3c1bf80c34f975b9ec9c80d6875fa651c4845c4ca1ae38574296448513

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e45315dec5ae38b86db248d5fa61f7d5
SHA1 619394b968e7d395102171f036f44e4ab213688c
SHA256 20caf10d6a2d0e80f3f409cabf4534a2d0e3d976d499253a5965fa767159d8d8
SHA512 0bd0ed4e580c94ffa113d974c5272f2216794f71c72aeec0929de68ca74b526a73dba9655595d6ae8e90d1879d212eb93d5d7ab18edb87c0fa9b214afa56565f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdba6db3d86edb399992026a6461982a
SHA1 a8993cf96e793ee52f9078f3b52957fd624679c2
SHA256 bf6adbdb27211060380eab69e1240a5a314a9e409d708a53e2d467078e8130ce
SHA512 b0f883c5c9df8d143e561dd13d3a830b873a79fced922cdef0a4e244968298a5a896cd4556d41d92e843b42bca303048756ecb23a68ae9b6045e4872498bf267

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94b7ad2e173a1aab2bd61427cda79be0
SHA1 f812c48694fb923eb694aa81c136b783c5fdd9ee
SHA256 633464abaddf6da285eb64b87170f18e421a81bfb8931631dbf070fc179077c7
SHA512 c466a1d160643ba469c57762c19d16e4ee5b4fcb86d9e1bc130bac6e6ed3186354ddb947f62caf59d5adf79136f256fd689e0cfa1622269a6eac75425ff9c5d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e04a6b02b814344197d6cec992d1bd78
SHA1 55fe5950085ac034a66bea66de3909c4c7a4b576
SHA256 d2cb3ea4747aebfc9e1469fe85a586bb054dd7d6bdcf0514503f60ddd8603444
SHA512 b246349060a0ada0f337025e7631d12ea8015cfc34e517ed355cf13f41e6ac5998b2805465d08854a918629bbdd735268b4b7a50a2ed0dab3934956d09e32407

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6f4a5465885b8dc5539541c8a5f65c7
SHA1 cf0acd1ce000b53e5eb0d8080720241aaed8d0db
SHA256 bfffb335ab6596a90c78eee2ea6f7d4a7cca060af1f2073c8a35ae206f54b796
SHA512 3c2e52b6319f3646aade2a64e9d732e6d2864e5069942134915a033f8539564f55e2c7a455c5359ec36c7e95b4762eef5ac6f94c6b807505fd1eec0381e059b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 914bda9351108f090f31cbc1b75751f8
SHA1 c1be3dede0f6e114394f6b846d1da981f9856f5f
SHA256 efdb789a2235853744c5cba15b88a81cb45d3669621c2cbf945b9390d619c421
SHA512 f5905e50157fd40f1d6481108d0ee90c91f90f2c63d556dd0ed0a4432e3fc35b0ec189222f5e8ade64fdc74dedb1c3c89534f3e01fa0cfc00acd20e9a2308f93

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 05:09

Reported

2024-05-31 05:12

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxDC95.tmp C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3538840373" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109912" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3538840373" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE65E145-1F0B-11EF-B8C0-FA71C8F1560D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109912" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3544621754" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109912" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423897159" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 2960 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 2960 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe
PID 2200 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2200 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2200 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 464 wrote to memory of 2416 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 464 wrote to memory of 2416 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 1812 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 1812 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 1812 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2960 -ip 2960

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2960 -ip 2960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.250:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 250.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2960-2-0x0000000000400000-0x0000000000523000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2960-25-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-29-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-51-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-63-0x0000000000400000-0x0000000000523000-memory.dmp

memory/2960-66-0x0000000000400000-0x0000000000523000-memory.dmp

memory/2960-65-0x0000000000400000-0x0000000000523000-memory.dmp

memory/2960-64-0x0000000000400000-0x0000000000523000-memory.dmp

memory/2960-55-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-53-0x0000000000400000-0x0000000000523000-memory.dmp

memory/464-52-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2960-61-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-59-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-57-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-49-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-47-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-45-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-43-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-41-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-39-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-35-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-33-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-31-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-27-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-23-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-21-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-18-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-17-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-16-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-14-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2960-37-0x0000000010000000-0x000000001003D000-memory.dmp

memory/464-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2960-19-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2200-11-0x0000000000560000-0x000000000056F000-memory.dmp

memory/2200-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/464-9-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2960-67-0x0000000000400000-0x0000000000523000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3d6908c3ea7ced33d2696a9ef09f8961
SHA1 a7d4321bbf04cb7335522cfee2cd36edc2d19c80
SHA256 fc0c60c571c30a39ce618b280cdede4a1837d2be33dfe2a4a3413c92a731b6e5
SHA512 071c3fa58a08000ad898384fef6e5fcdcd080ed52b084ec80d19e45f9fb5119557a1dfb42ebba2b22d1c971baa5a852c756c7526010b6b487f3239c8f0df4af1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 0edf7f6721a887258ba37c712d049b28
SHA1 37786aa5df1d8d9359c51db55897ac38f5433e68
SHA256 c7d93f7d1729e4c00636a21edb2e323a2d47d1dbc404fde9e0202d4c77e9b8e8
SHA512 60c672a31ce2249d66bde157ade4a297bd8272e132f3e692ea35de7f26eb743cc24a1ec7e4649704f662e3728558ed0620ce4349674b69751010253e2cf9e2b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee