ramnit | e8fb822b3a03ee89389dee1d96b59d64c936f074892a5a983fb940b1ed0c86d9

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe
Size

176KB
MD5

dc94cc73ac59e09d4efd0b87bf6bdd08
SHA1

1e00d8add387bd8167ebb41b64d7306d87b73a46
SHA256

e8fb822b3a03ee89389dee1d96b59d64c936f074892a5a983fb940b1ed0c86d9
SHA512

00a10b48edd2281c2dd2bfb1d7e34bf3d237caea0dad4ccdb748f8bc16e353d46f727382f698964f55952845b4b7a7760985964bf119d29d744a10e2130db788
SSDEEP

3072:BtmgzqoBx92SPukdo1MCynUsE5lRIp/P4+zAndU40vF:qI1Bi9KnUsEHSp/JzAndU40

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
224	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
1528	WaterMark.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1528-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/224-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1528-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1528-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1528-44-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB769.tmp	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3180	4920	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CC704D94-B69D-11EF-B9D5-F6235BFAC6D3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2697849998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2700662413"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148714"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148714"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2697849998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2697849998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148714"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2700662413"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440562407"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CC72AFE2-B69D-11EF-B9D5-F6235BFAC6D3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2697849998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148714"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148714"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148714"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe
1528	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4844	iexplore.exe
1704	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4844	iexplore.exe
4844	iexplore.exe
1704	iexplore.exe
1704	iexplore.exe
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
4468	IEXPLORE.EXE
4468	IEXPLORE.EXE
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
224	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
1528	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 224	4028	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe	82
PID 4028 wrote to memory of 224	4028	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe	82
PID 4028 wrote to memory of 224	4028	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe	82
PID 224 wrote to memory of 1528	224	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe	83
PID 224 wrote to memory of 1528	224	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe	83
PID 224 wrote to memory of 1528	224	dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe	83
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4920	1528	WaterMark.exe	84
PID 1528 wrote to memory of 4844	1528	WaterMark.exe	88
PID 1528 wrote to memory of 4844	1528	WaterMark.exe	88
PID 1528 wrote to memory of 1704	1528	WaterMark.exe	89
PID 1528 wrote to memory of 1704	1528	WaterMark.exe	89
PID 1704 wrote to memory of 4468	1704	iexplore.exe	91
PID 1704 wrote to memory of 4468	1704	iexplore.exe	91
PID 1704 wrote to memory of 4468	1704	iexplore.exe	91
PID 4844 wrote to memory of 2460	4844	iexplore.exe	90
PID 4844 wrote to memory of 2460	4844	iexplore.exe	90
PID 4844 wrote to memory of 2460	4844	iexplore.exe	90

C:\Users\Admin\AppData\Local\Temp\dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:4920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 204
        5⤵
        Program crash
        
        PID:3180
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4844 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2460
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4920 -ip 4920
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2d1847b341a938389fc5b14b0bcd9eb2

SHA1
4036e71c4002e7ee173d59dc84a9cb5aa1390d34

SHA256
275c7427c6238d335e521a313e6cff2357b16e645202f11e3433cd56539ccc32

SHA512
384e910821ee8b786f70b5358f120cb3aea47f0e50d1f5c6e4c7304435c7d88f2c5ac9027c73823916149a369ac1c7640c18b13db8e6ee740c963e1b8bd51428

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
6b6f4ae51fe058a934e848922069b56e

SHA1
0e672d3dc9c02904c9bca63a9f612296a0926f67

SHA256
684ea09f62b209057852e935275f0585e8cc8dfe29c2ddb3535fa444bb9fb5b5

SHA512
bce42dae3f047cc4b0052a235425fb84842e8606233a07ee702007088df13661ec4b80d08b06a55e6062dee5b9573afcb42a232dcd84e02d673a9c9479e522fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
21435f5a501c02050cec0d0343ce403c

SHA1
1505e0e691fc62819bb4699f93aab486e3400021

SHA256
05237142fa1a9ea24ae34012354daf80b0fde8fb12752ecf3e35dc23277ce62d

SHA512
da248ee21e3745f3c08a990978e1abc353c618a4075f2651bb55c47cf67955d6eb18212e61df1007395bf6d4c9f0cd2917614b18936ae38535adb15b91468286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CC704D94-B69D-11EF-B9D5-F6235BFAC6D3}.dat

Filesize
5KB

MD5
5485d721248c5ef68b2a767826d59e7c

SHA1
c8e7f594d37cc7f56e19b1d4c0406fee0c3b4793

SHA256
2edd7bef308b5c9c6df142ad5fe57ee58ef9b88596cf5693d7a2f2b7a950aa83

SHA512
6c6a0699ca13badd75aa44fb136f3bd92c93df6d5e31e2e7b38f892f50d3800f7557d6167eb6f9d1b90edbabe65b75c8b268da09da6cf1ad1dbc999099673d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CC72AFE2-B69D-11EF-B9D5-F6235BFAC6D3}.dat

Filesize
3KB

MD5
a33f56ff36e461a7c2e0247108f67b3f

SHA1
167395d7284489b0f2632f2bc49e91ac7b910be3

SHA256
ac72b1917ae78b5c408569830b00e7bed6539e010566847fdfd2138b0bc76f5e

SHA512
129955df4befb39f5b8eab0e85982e36d556e1629e0f6995c9c11658d131cf2127befdbcd99043e4b4fae5b7b11dbdc3333f11bdaf4bf7f75880ad5be14a8bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver39C8.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc94cc73ac59e09d4efd0b87bf6bdd08_JaffaCakes118mgr.exe

Filesize
60KB

MD5
cd963c64ad0bea4ca85a4819f6eefed1

SHA1
d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

SHA256
33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

SHA512
f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

Download Submit
memory/224-22-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/224-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-11-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/224-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/224-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/224-5-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/224-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-37-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1528-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-29-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1528-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-36-0x0000000077112000-0x0000000077113000-memory.dmp

Filesize
4KB

Download
memory/1528-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1528-31-0x0000000077112000-0x0000000077113000-memory.dmp

Filesize
4KB

Download
memory/4028-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4028-42-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4920-34-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4920-35-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download