ramnit | 8f104310c9e411854f6c149053f883611244b05edd797b10d62eda784859dd73

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe
Size

316KB
MD5

eaacf12631b8e4320b6a1a4351c6261b
SHA1

0ad83ae72ed40310202e937d5f51acbeeea41e6d
SHA256

8f104310c9e411854f6c149053f883611244b05edd797b10d62eda784859dd73
SHA512

c68f3bfc3ebb1dd81e4dce8af5a8d0e055186bc0a81325a7c775f910a1019e0a62de8aa15f5dffaaffea639a39f7609da2e150dea064d1ca3ba8e92252b2a177
SSDEEP

6144:MMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOadhskqGnSZK4BKBHvJ:MMTi0uhMqe9ts2zWTpMmCG7P0Gn344dR

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
4456	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
3900	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4456-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3900-36-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3900-35-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3900-32-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4456-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3900-45-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3900-46-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px66B9.tmp	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4896	3456	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132245"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "836177435"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132245"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132245"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "836177435"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "836333618"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132245"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132245"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132245"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433488840"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D7BD164-7648-11EF-939B-F2CE673D6489} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "838521216"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "838521216"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D796ED6-7648-11EF-939B-F2CE673D6489} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "836333618"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe
3900	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5116	iexplore.exe
2816	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2816	iexplore.exe
2816	iexplore.exe
5116	iexplore.exe
5116	iexplore.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
940	IEXPLORE.EXE
940	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4456	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
3900	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4456	4960	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe	83
PID 4960 wrote to memory of 4456	4960	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe	83
PID 4960 wrote to memory of 4456	4960	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe	83
PID 4456 wrote to memory of 3900	4456	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe	84
PID 4456 wrote to memory of 3900	4456	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe	84
PID 4456 wrote to memory of 3900	4456	eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe	84
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 3456	3900	WaterMark.exe	85
PID 3900 wrote to memory of 2816	3900	WaterMark.exe	92
PID 3900 wrote to memory of 2816	3900	WaterMark.exe	92
PID 3900 wrote to memory of 5116	3900	WaterMark.exe	93
PID 3900 wrote to memory of 5116	3900	WaterMark.exe	93
PID 2816 wrote to memory of 940	2816	iexplore.exe	95
PID 2816 wrote to memory of 940	2816	iexplore.exe	95
PID 2816 wrote to memory of 940	2816	iexplore.exe	95
PID 5116 wrote to memory of 2540	5116	iexplore.exe	96
PID 5116 wrote to memory of 2540	5116	iexplore.exe	96
PID 5116 wrote to memory of 2540	5116	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 204
        5⤵
        Program crash
        
        PID:4896
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:940
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3456 -ip 3456
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
33bac9325241193616461afd5a0deb0c

SHA1
e78ed72996568bc9616f4d6b20403749252b4859

SHA256
cb0b78d15b774b91ab6f6ef315a14f301b85b40122a72622818753212538f5b7

SHA512
3054cbd1551e36a747fc4c7086d3cc484530ea13d44279b4f5f92d462d91d7e3322bb240edeedd517751c00949a6264b50322464e446290726fde18ac4eb2e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
999137c7b4599a8b93b3668b2e084204

SHA1
205047925bdd9468e59ee927a0b77b33fa100141

SHA256
8d9d890bb36a65d912a3fa87fe5bcfd09487e9c3042f89e97370edd4d36bd64a

SHA512
71546b8a1f1a56c1314de1b5d27eeed135e596a73efed90caf3e1e9cc3ea11dcf44deb39d42f6b01308a4aa642583d9a167823e90a58a9d74655611c462e4c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4381d854fdbfe7b3d1c53cd047006122

SHA1
b438c5fd0d6478c7a95faeb32d0a810bde9f8dda

SHA256
390b8e312b1256a2d7a4a71b575050f3bf70db0a05316e067f88caf6f6ec29c7

SHA512
7aaba17a5260b6556a9ecfc9cf954f0c765192780c1f1ff1acfa894f71830641d8ceb49327f79a924ba934b2a24ccfe753052b4f93a152967edad95dad7ddde2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D796ED6-7648-11EF-939B-F2CE673D6489}.dat

Filesize
3KB

MD5
bcaa0de7934272b25524958c2875e133

SHA1
02f87417773b5f5534f339fc790a21c53b703cee

SHA256
4933e1e06407542e70962d1aa434b3513fc42087f8a0ec51089358b3d48862a6

SHA512
36ed92041f2bf552239f3a78028419b48d68947a64ac68e5586bbb40f39f94a80ef92b888e498979ea630ebb047649c83ac073cc2529063f9e87289c4d7fdc32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D7BD164-7648-11EF-939B-F2CE673D6489}.dat

Filesize
5KB

MD5
00b3046fb995aebb5f20d97b5473b9b1

SHA1
371a7ed31dc30bb44fb955981ad32cd06f9b6849

SHA256
b0903e6f66a89c72f30a50d3000ca61de0f9b54dc9aa6cf69eede5442c19a803

SHA512
d96cf86b1b8e1425156a6b4f5f6565a8fca09b859fe5234f15a405bc6b56eb5463857a6f325711356102c2603b4345fea80d2fd12479c72b7e5730cacdec543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE947.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaacf12631b8e4320b6a1a4351c6261b_JaffaCakes118mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/3456-39-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3456-40-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3900-45-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3900-36-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3900-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3900-34-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3900-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3900-37-0x0000000077952000-0x0000000077953000-memory.dmp

Filesize
4KB

Download
memory/3900-42-0x0000000077952000-0x0000000077953000-memory.dmp

Filesize
4KB

Download
memory/3900-41-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3900-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-5-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/4456-11-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4456-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-24-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/4456-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4456-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4960-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4960-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download