ramnit | 3b9deac1498962c1da3b51c3dea5a686590aadb731a3a9199b3acbe5f2b2402f

Analysis

max time kernel
140s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
Size

602KB
MD5

5576c9203f30cf539dd6cd55ef1e566e
SHA1

75c11270030685e2af67a349bf685c8e5b1cb727
SHA256

3b9deac1498962c1da3b51c3dea5a686590aadb731a3a9199b3acbe5f2b2402f
SHA512

1acc4ca48d78c2d1c0e19342aa627ecc7e3cb196908bcada9bd0d93a2dde9421157d6b36fb909700533923084a7bb0e6546833250d98c4a99a14da95dea4f333
SSDEEP

12288:JdIPydX22jbAW59EjyfRMLpZHiSsrHx79TfXr5M88Mw8KiOFMzg39n/ZJ7:oPyplbz9P9SsrHx79Tfy88DxiOF4OLt

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120f9-1.dat	upx
behavioral1/memory/2168-14-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2168-17-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2168-18-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2168-10-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1960-8-0x0000000000400000-0x0000000000B64000-memory.dmp	upx
behavioral1/memory/1960-21-0x0000000000400000-0x0000000000B64000-memory.dmp	upx
behavioral1/memory/2168-22-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1960-451-0x0000000000400000-0x0000000000B64000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435387314"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0396D71-8D08-11EF-9D33-D6FE44FD4752} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0346461-8D08-11EF-9D33-D6FE44FD4752} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2784	iexplore.exe
2996	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
2996	iexplore.exe
2996	iexplore.exe
2784	iexplore.exe
2784	iexplore.exe
2724	IEXPLORE.EXE
2724	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2168	1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2168	1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2168	1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2168	1960	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2784	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	31
PID 2168 wrote to memory of 2784	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	31
PID 2168 wrote to memory of 2784	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	31
PID 2168 wrote to memory of 2784	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	31
PID 2168 wrote to memory of 2996	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	32
PID 2168 wrote to memory of 2996	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	32
PID 2168 wrote to memory of 2996	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	32
PID 2168 wrote to memory of 2996	2168	5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe	32
PID 2996 wrote to memory of 2172	2996	iexplore.exe	33
PID 2996 wrote to memory of 2172	2996	iexplore.exe	33
PID 2996 wrote to memory of 2172	2996	iexplore.exe	33
PID 2996 wrote to memory of 2172	2996	iexplore.exe	33
PID 2784 wrote to memory of 2724	2784	iexplore.exe	34
PID 2784 wrote to memory of 2724	2784	iexplore.exe	34
PID 2784 wrote to memory of 2724	2784	iexplore.exe	34
PID 2784 wrote to memory of 2724	2784	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2724
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d374803b65c4077c3e3373bb73b46cbe

SHA1
eb9e6071672440791a8d364546abd19584c4d039

SHA256
a07a9d92b1a4c476b4b00cd3993ffb27b3f0174abf2959fc8b12d4481237b74c

SHA512
c9c14df0a73c1eae3e62e854572ecbf6067ef5e2fdc3f9e9b0242e5baf256d2fcedc6646cc8f4329093f63e35d4e331d8e982fbeddd0e6ea8fb0bd0b2a8c5643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50641a33f9afe333bb62b4f84f2c16dc

SHA1
66c9dabeada7beb270b3fa14d9ee910d4bfef2fd

SHA256
1dc469e3a95a3fd7a2058a8d49ede70c003b7ac81c1911330f9c41eea4181aea

SHA512
7a6cbf644daa33f0042c35eaa0707fd52ae3e8205ac3c689d24095754496b0ae684ffa02499c96b27b036a99f71784beea03e5d169e1e71dbf96178881f4fdae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c06fd4fb4a837bf1fac7f8cd9f1ed17

SHA1
e87a60cf0e638e861174fec78ee7025f186fc50c

SHA256
ed673859a46a28e9554fb6c454c8f826b601d5bc106a2414a76ad214a79f7ca1

SHA512
9fbc29c11131290c46b41258d914e12b798ddb81e1f521c371cb69c7e0a50f3973c82a59283d67ecbb7d292b58829c0c5cd64b06345ce5d53c7a4e419a7daafc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d5466a0ddcfb4a75a2bd7677b21dea6

SHA1
bb184496c305436e6b7f412ea7173be47d1067f2

SHA256
a74da0bfe02866ef2e3ea4a475df730f4ea9f139a8a7e0c1041c208dfc754dc9

SHA512
fd5665bd83f7c090ba1cfdd961ab0016a3ae001033d617842f08dece7718911db4a392c3f1bacd6223437fb0ceb713d246ed6deb0cd1a55e4a3ae7ddc3043a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
889a9f8320ae348b01b7d61d2e9cfd22

SHA1
329a0162a014d771a94766ba604e76adb123a63b

SHA256
99dd9c99ccad305c7ef22d68e6d28e384f088fb55c61a8174f2e89d77e1a60c4

SHA512
d165d51ef69b9fa5cd262ebae85d75dc0118c35a3b7a53db3222c999687c6ab2280fff5230c437dfb58fe4aeaf434e561f06c37f49d426adbd3ea85b8c5b7a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c3eeabdabeff86c028355fc035cfc44

SHA1
6e8c1b447cdeacf4ed17e8d24f67fbe1dcadf08c

SHA256
fcfec8781a880cb7f9fd672a9e49f5b0414e84fe43c1631a3e0e50157965f6d0

SHA512
77a5695eabff4d08a7956750311ad01b273e1c9b0ab79c415715bb26f875cfd51d1c30b7e108150e30b2eb97602cf5919397955cfdb23b0c590fcf248ef7e69f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c29527a90220e23cfe7a9ee676971ae6

SHA1
e45c6d2f6c8176f294c3955c5163813ca2cb6f17

SHA256
f2c359bcfd65d48cd2617be5cdfb3a3c9f4324348401204a2220ccb57323c577

SHA512
0f064dfcb980567db914472f62e0950e2e84945059f62e0cb1153712159cf339b60385c5557b74471ed6e583e8a692d0e079b0307aeee1348fb938352425e586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06416ecc9ffc04324f88204337f3fd87

SHA1
ad24d0be85ab3d6ce5d6cd2df102e4e9488bc5cc

SHA256
d57d05a8f9be0fe607c46939f781a30bf70d3e0dad9cf94a2aab0bf8b99a0b66

SHA512
35dd9729a7be29f245c835c32edb01646dde918e441a6ead78d548b85b2eba554ee8b1546cf5fa462f6272c77fa37e0d0b86451ca19376b58cdd265a2e51fb97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6ac623e48b965308e41fd8acb4e60cd

SHA1
636548b5bccda5c4bce2f41749f3f17d85fb7ee6

SHA256
c2b038acd3638fad03a09f0d41b44264e27e29be3da53b6d1010e54b2cdd960f

SHA512
61198ca2f56bb7d7c1ba8f4ece97f784383c5d5a29e237565bfe4cdc3ba9aa1c05ea154e57d27e290b20e1e30287c524dd70ac419f3cf4971c547e425d7bac85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cac50b2bc07f41bbf854b60c3b97e3c

SHA1
e5981aa4e1e0f0f6c61cb1b5da38876a3752b49d

SHA256
2e6b1c1dcaa4dd3cc8556990eb84eb95a1e9b03bf861cb597e76bd2d4bc5a36f

SHA512
5a2493190827e596e6b33108267a2743ee4d70a4b3d62d573f001f5459772e98a1b9016ccba024414a5e1a71a99e608f5905c9ca1fdb671d3db8beec31e039be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22b38750d412b0d238bfee869278231e

SHA1
2086afd5e575bc1758d4d8d38c1216b1244db9ab

SHA256
2cb8e4eb912fe7cde86a8f8e2a49566e3fbdb3b865d5f6ca8da67a77121f4fa8

SHA512
f85de8e0a313b186bd3da11c702dcf88c26e7685f40e919a5301e40b8871d98ae70a0d4025257effa10ba08902c72295d53bea88079c6efa0330a0ee1000ca65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f81f6693a17aef5c1ed3d09987fc9c71

SHA1
49a2fbbd0c7dfbc1945f7ad7564bc5d2c1be7d7b

SHA256
16314571d6b86a8308e008bbc21fe6bb88ea813090020d35bb2851a32eea59ea

SHA512
0d278df2eccd05b5d9706de9f605b0d81e7701581297c28d0640b7fd4e6a7aa8801d192ef10b81f42674a18ac5a083b88cab3c73b5ef3baa71ea68d4063019f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73d589a66119c80a1a2da4c7ad71abb1

SHA1
a80231aacea9f9de87cc6d581771282c4f120855

SHA256
d38d7e8f7086a4f4fc1fd574663b9bd04a30674cb0eafe2b187489327c19f276

SHA512
fbd3bdfb16ddbf7b111881c0493f0efb018ad1b369b1cf6ac87502332e485c7edcf9a75cc4ed2f6da8edff35708f53f99036fc9678d2ad448b03207d7c35abda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed9f2fe43241d4a9be042d778afd1195

SHA1
b8ebd47934a571e13e7f768de26b600704e0a15d

SHA256
9dd20cb9d958005e9ea6a049a3a887b82f483cdcbf9f40fa8a57486fd7d47199

SHA512
820b07299861a325d577f0e0f0cfe10a6b8fdaefc3dc0c5113456a0fe535390c8b9088eea0372f706845cea5e2eb8c94ea4f2d606f0439f0136c369f8cec1643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f52521116f4effc902ce2e504a1e4cc

SHA1
2ea49d775e0422b8e75e78bf72a7875986210f1a

SHA256
8d0c84b7785320d0a06e5598d7ae7cd7285971d7e6553e42ff802ee546c4e1ea

SHA512
02b9a04fb2da7ed96aaa27155ca2b3af0bd78a3adec4e7f752a0d67dea200c52a502ff585b3ce667efb5b48d5656e5a6953fabe1f135c6e469137221e5325e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4306cbb76f4e1dd18a13ff58f57b99b

SHA1
1226546cd981be48adaaef9356004942fb2dee5a

SHA256
ebaa29d8f587f5cb3ab393cb7e26aabef503a9b1efc2cc118bb64817b224bd9f

SHA512
0125839a0c1c7a79c677dd4fbdaea655568ede4e6eed9ad627177b07c55ce4fb19ea380b53a81b772b328572728394fa3eb6dfde409c7faa6435896ae6396b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc6eb4f8e62c0c0f745be66fd2c363dc

SHA1
787d451727a7d7a764821c3a0dd439a43004031c

SHA256
6b84ae3a75fb6d9506100f3e3aa31da99b7549db8c4f2e60eff11a88ec69fdbd

SHA512
6f2c75ab77596f951cee9dbd098a5cc328bbe0d4fead181c519c6ff4c98840c7e081bce97419d078941f7848df77331f2cb2548c7bdbd2247fe7012e217e763c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
430ab9bc78e8ed02727ca6063f57023b

SHA1
692d3d4937e387fb87f81a3e5c7f8fdd76820950

SHA256
4d9f4965493cd1a3fb871a1c5c6bf9e389ae0810ea1b76f03b4e0212363f4746

SHA512
ce8f15edfd61a90f2bdd1e89e11ca41c51ecf29635075a7f388fbe64c07f8c9901f5943fb9712dc228a8ef79d199d1c3c7c3ec0bc28f43f3301679a9a5ffce4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D0346461-8D08-11EF-9D33-D6FE44FD4752}.dat

Filesize
5KB

MD5
d011ba40819221f6ef9c146e03394805

SHA1
593e4b0d88177d2eb94a15859b43dfc8f37d01b5

SHA256
9f22953b7c018a682eca7ee7d1c175e7762cc18eb53da0999b7c86e7ed06810b

SHA512
8d73c013a4f34c971e9c0750e526612c51a75face09f5791c6f25badbffd0766c30283e2c916c821a2aaee09334f00fde4fce14ea41e88359d587c91c60a72b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D0396D71-8D08-11EF-9D33-D6FE44FD4752}.dat

Filesize
4KB

MD5
d329aec38102f2f472b6c3f7f05fdf0a

SHA1
46c4811549e21e8fc9473771446e5cdef4567bb0

SHA256
37129752b2d239c1a34b14a98249635fe37a03bc7f346c11f7c6c47ab7b1f93b

SHA512
1d0579098a8829d65b178e370950f9617a634340ba8d8d25c4cbf11dee0f5bb1e82b1b99b0fc6aa55c9562d60ae63e3a47bcbbf72226c8c0f261c2841c5555d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6EBB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F6C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\5576c9203f30cf539dd6cd55ef1e566e_JaffaCakes118mgr.exe

Filesize
105KB

MD5
98a8ced05b34189b8b36760049b2ea36

SHA1
a5271250fb91d891c7df0cae7812ed68907ae076

SHA256
e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

SHA512
8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

Download Submit
memory/1960-451-0x0000000000400000-0x0000000000B64000-memory.dmp

Filesize
7.4MB

Download
memory/1960-21-0x0000000000400000-0x0000000000B64000-memory.dmp

Filesize
7.4MB

Download
memory/1960-8-0x0000000000400000-0x0000000000B64000-memory.dmp

Filesize
7.4MB

Download
memory/1960-9-0x0000000000360000-0x00000000003C3000-memory.dmp

Filesize
396KB

Download
memory/1960-12-0x0000000000360000-0x00000000003C3000-memory.dmp

Filesize
396KB

Download
memory/2168-22-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2168-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2168-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2168-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2168-18-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2168-17-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2168-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2168-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download