ramnit | 9f557ec2d82003805bb4ff078bf5943251305505f2094d3fca08d291f7db93dc

Analysis

max time kernel
129s
max time network
139s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10/12/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe
Size

172KB
MD5

dded937a683c71ea3251bacd51ce1fd8
SHA1

686c7625f72a5d63e2957cb13c059dfccf01672c
SHA256

9f557ec2d82003805bb4ff078bf5943251305505f2094d3fca08d291f7db93dc
SHA512

089509167709e71f927b3613a80e46f0f6d77c6980e478e0a9ef3f980538f8e2ae8ca1eac3a930963d7927bc69456b47bf7666f4086525f35c1ee30ada37a0ae
SSDEEP

3072:MO+EbyrLhacuvKlQDCRNpQK5B5TtzXJcGXTWDH4guf9:MW+NQK5B5xXJcEeH0

Score

10^/10

ramnit banker defense_evasion discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2052	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe
2192	DesktopLayer.exe
2580	zqhjao.exe
580	zqhjaoSrv.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe
2052	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BB6C8F01-B6D2-11EF-8F62-F2F62FDDD033}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BB6C8F03-B6D2-11EF-8F62-F2F62FDDD033}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BB6C8F0C-B6D2-11EF-8F62-F2F62FDDD033}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BB6C8F01-B6D2-11EF-8F62-F2F62FDDD033}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00460000000120f4-2.dat	upx
behavioral1/memory/2052-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2052-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/580-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBB05.tmp	zqhjaoSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	zqhjaoSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBA69.tmp	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\zqhjao.exe	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe
File opened for modification	C:\Windows\zqhjao.exe	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe
File created	C:\Windows\zqhjaoSrv.exe	zqhjao.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqhjao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqhjaoSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439982035"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB5F38F1-B6D2-11EF-8F62-F2F62FDDD033} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{465CAC56-8B0A-4117-922F-2EBC2227668F}\WpadDecision = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 403eed7ddf4adb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070c0002000a0008002a0030003a03	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 01000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "dzf37l3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070c0002000a0008002a003600ba01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-4e-ae-11-01-83\WpadDecisionTime = 806d8b7fdf4adb01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{465CAC56-8B0A-4117-922F-2EBC2227668F}\WpadDecisionTime = 806d8b7fdf4adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2192	DesktopLayer.exe
2192	DesktopLayer.exe
2192	DesktopLayer.exe
2192	DesktopLayer.exe
580	zqhjaoSrv.exe
580	zqhjaoSrv.exe
580	zqhjaoSrv.exe
580	zqhjaoSrv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2360	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2360	iexplore.exe
2360	iexplore.exe
1984	iexplore.exe
1984	iexplore.exe
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2052	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2052	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2052	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2052	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2192	2052	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe	31
PID 2052 wrote to memory of 2192	2052	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe	31
PID 2052 wrote to memory of 2192	2052	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe	31
PID 2052 wrote to memory of 2192	2052	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe	31
PID 2192 wrote to memory of 2360	2192	DesktopLayer.exe	32
PID 2192 wrote to memory of 2360	2192	DesktopLayer.exe	32
PID 2192 wrote to memory of 2360	2192	DesktopLayer.exe	32
PID 2192 wrote to memory of 2360	2192	DesktopLayer.exe	32
PID 2580 wrote to memory of 580	2580	zqhjao.exe	34
PID 2580 wrote to memory of 580	2580	zqhjao.exe	34
PID 2580 wrote to memory of 580	2580	zqhjao.exe	34
PID 2580 wrote to memory of 580	2580	zqhjao.exe	34
PID 580 wrote to memory of 1984	580	zqhjaoSrv.exe	35
PID 580 wrote to memory of 1984	580	zqhjaoSrv.exe	35
PID 580 wrote to memory of 1984	580	zqhjaoSrv.exe	35
PID 580 wrote to memory of 1984	580	zqhjaoSrv.exe	35
PID 1984 wrote to memory of 2860	1984	iexplore.exe	36
PID 1984 wrote to memory of 2860	1984	iexplore.exe	36
PID 1984 wrote to memory of 2860	1984	iexplore.exe	36
PID 3068 wrote to memory of 3012	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	37
PID 3068 wrote to memory of 3012	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	37
PID 3068 wrote to memory of 3012	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	37
PID 3068 wrote to memory of 3012	3068	dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe	37
PID 2360 wrote to memory of 2984	2360	iexplore.exe	38
PID 2360 wrote to memory of 2984	2360	iexplore.exe	38
PID 2360 wrote to memory of 2984	2360	iexplore.exe	38
PID 2360 wrote to memory of 2984	2360	iexplore.exe	38
PID 1984 wrote to memory of 2776	1984	iexplore.exe	40
PID 1984 wrote to memory of 2776	1984	iexplore.exe	40
PID 1984 wrote to memory of 2776	1984	iexplore.exe	40
PID 1984 wrote to memory of 2776	1984	iexplore.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DDED93~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3012

C:\Windows\zqhjao.exe
C:\Windows\zqhjao.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\zqhjaoSrv.exe
  C:\Windows\zqhjaoSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2860
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46e9147a4906a5df69341508b523d6b

SHA1
700eec0c2aca234a2f54e465a0906f479f25e372

SHA256
5fa633b3d3314605c967bf7d2b959c11fc14d2322ba1d322beb93378a5ba60ec

SHA512
ecc4266b0846fd53e42986db2ab108037b77e43f878a025564b7d3bbad17888e76b1ab411931babdd7416df0d3afa3a99339c80853fe2724200e6188c94c81b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221d88314c6fc6708ca17df66c0ae37b

SHA1
27219e76051755df4b0dc14de923311eb27774b9

SHA256
84e40dce4d4b1bdd826720d03f4c6969cc4ebecc4df3328a637ed8cfd4d935bf

SHA512
b0a94557fd4209e6e95a2ec2ee61665471119ea801a15ed9756c481ae54498c7c653fbbe65f83a97ebd60495903d10d486adbe0de2c54639e365c4528a01ee0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
204901c2b580710b62aca8fcff8d33d2

SHA1
cb3c12ae889c0e65be42fedceb264213a2df6723

SHA256
8df7ea0355341a7cb70bb0c6f33d01ed3384c619ee9dc7a6dffaddd98c4c015c

SHA512
3a7401fabdbc2c4cff5d8d8410eaca3295c0b5714ee4f80e13be0d4b60f61f03116ede30682576b0747d69761dc53bffbb09620bddf4c67b5813dbacf57fb745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edc9bffb60c8d4c2d53d9424d39432c2

SHA1
fe3abae8157818ff00acc70cf3ff1c532778be03

SHA256
0672fcbd7f195dd2433402cc81b91b8f3b6af61cba6e51a8111c5b008c0a9035

SHA512
dfb80176e39ae8d9daa266c0fd250ddd26727c9b5d1ded3372cf8918bb2b6cba2220f7244702f7aaf33acbadf8914e386818e54fbc700743cd2685a1e6ad06d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
303fb52fd78aa761472bbb66f627ca60

SHA1
9838ad0224456b0c92799a6b3103d6cb04d1126f

SHA256
3e37e795538fb0ab1ddeefdb80fe027935a9f5b9e853536c71167a0c7dd4e0b5

SHA512
a0fae626c2546376fba9a299b420136335cdd1083e9793e466dc4d1d0d1f02ae1c284746f56c445bb9c834c217931d1cc4e862252fc5413b5b97bc2efd23bc4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dad2f7394e2d839b7ab5148d25a4c81e

SHA1
22f0ef7945187bc1ca2dfdfa5c0aef575db00b4c

SHA256
569b15140fa87e77304ef8ddbdf172dbcb98ad4d1c5181045e485ad0a9479232

SHA512
49ff299cf727d06bdc54c6f8cee25c1be3336ea1bc3844fd8dc89b4266ebe15ac3477c5cca2a599644913dd28b0323617951f7d01650c51c9eb4600fbf7b0f7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e108eb3549bfb90a9a98f69f9c73a36

SHA1
ba8a41b05e50d78b5bf5c25eaf9adc306ad974e1

SHA256
19da82c942d905c6296cb1facd0cb56c9ac8d76e67195c859331aa8def026b47

SHA512
1a1b9331047ab0e09049ab0aa9beb2183b520a2998e1f58aef291a7e125d9c644a2dc833bd36b38f8ddaa0880a36846dfa4a665b03dc5211e1afa5dd9845a178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d7610f01c5fcf2e67e0c7fe734f1827

SHA1
1c954f5334685d9ae6a2674a4a5590cc3cfe4f90

SHA256
fb04ffba3fabddc0406b068f0d4f76413b948eb44bfa23dda1810beba00945fc

SHA512
0934fe75cb09279b1242a53e2026ef1e181d351f5fac84dc1a035adb1813bed78786f2074897c5a0d279e65640a8c6edb2ebc393a909c030528125d826572f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d41f10f8bd603f2c38cae31ff320e9f2

SHA1
41eddbaa55c1dd7ebe2726aba84789ff56baa93f

SHA256
50418e67682e7ea68601feb6ad66e9c1d801050d20f47fedfbdf3a72652d0e36

SHA512
f77522d075dfec74ceb54e3437efa684a1a3cb0b36c41ba018897a87e846ebcd75f078c764d61e05d08b520e5eb369dfa675df4ea074d1169274867dff331a0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e583d201cdef8ac538a841533a394b

SHA1
1aaf064cad24847680d4f646b6c8b41e05e54cda

SHA256
5055402658d6d906acacd48f45e277ef5f9e2488293a081ff2b595d30ec18936

SHA512
d921bfcf5ed0234f3b3e55bdc228165db8150b2cd5ad4fb700b1d33b5181af7dc41eb37028cfab7fcc8e5f38447216f87c0fffb478f1bea136904c21ea1d0cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c449db09593f298fd3ea60c3922e8c45

SHA1
4399a13e8d363f8e590026e1f92affbf6174be59

SHA256
d1fe543bc34760f07b7889f569d7dcfc1e332b01c881316ad0db37cec6d1da23

SHA512
8170eddab440d6ad028afd59acb70051563386b86df3f3d197c3503eabf48613ae76ce0d57fd19155ba753e5379a8685f75b4cee41614b3bde8fb8e3d080e521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d8796a8e93ae6e33b32c370dd006e40

SHA1
b30a226fd601f97b915ace7eaadf0bdd61cf3063

SHA256
d01541d9795c9fd9dbaf3396c134afe307141cbee6eef051bdcf3e8cebb9783f

SHA512
f36e5c9be625670998b4d186868651bb52d9b1a3cf91c88322546fe63354e4504a541c0c3131ba0a6c7cc0f4957127b50af2390d4ee47b9b25c135b11186da5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12a2903497c5d749f810d6d699337731

SHA1
d644704a3c3da8bce1cdf28dab1b7bcb8e6f9a7e

SHA256
46dbdb2d46e0ca1e80ea18d8daf1dff2a0b3b9a4d44825d68fbf38b94190ca20

SHA512
31756eb16d13e7fb9408b3cb3452ae96a816dbb09b77d524bd81c479bd07d01bf11ff0b6061c793e612da133a0438c019e481db76d88568d8f1fb2735a080365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
867728bb55f71c50a7a2060a160f45b1

SHA1
4f48bc9cc59951d61f361a326415c1a5221cdb7e

SHA256
add0866037b14356f55e4039fa4ed011ab54d89d511d6ed69312a028a6652ee1

SHA512
7a83a16310a4cf39392166cff3935e795079f37c9e80953a9ade88982b30054089d426f81cbc41148c315a607b1d565e515ad12198a552b220ce89bf351f2087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f85824cdf3f37b575988fa2bb06c86bd

SHA1
123b1b18a248aadaddf95903618ef5500e40cf91

SHA256
f23d5cad4b63f03ae7a7758f4658de294729d737da3c8c3579f35d08241ccd7b

SHA512
c62fbc40e8353a9fb367b2ae1451c021044bd8a5412cc48dfdeb65cf0bd401905487262c4a105eb7bf2ab073a199a6ab64e184de5d941100de3b45fee3f28fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bf5c8edf7fe09dbd15e9aaedbb6e0e3

SHA1
9600306597596406720c7bc441e60d20fa9733dd

SHA256
f9ab81bb15a2ab1c40512695d3c8d723debdaa48dc985fc574cf064846e1c531

SHA512
c013613473e5750050bcb811f708e7eaccc1aff623e542065f0ea46b109f6f80fc00ed27e4118fb4d852ebd5b41daa3e8572c5dc793923c297518ab5a350ca14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b6630bff86e73b84dfbed5781a6901d

SHA1
1648e86bdff7114233f32dca86e06d597da624df

SHA256
02982eb076ab9fd80c5456d6346a566b5dabf1d7ef2bf06bfc9560cbcc392942

SHA512
a3f26cbe209cafa1b81a5397d971cad173a3cdbfb4419113f374132b72b124281fb6c81cc5ef3f979ac92e1fa9608a40b412fdc00f78a64537049eed0ca532ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51a08802a27c088850aa9fef713e14e1

SHA1
5da9250925122be6cfd903e1f4015f06bebf1781

SHA256
93ba24f64ce1b9e80793eba64bf33fd3f41c18598f27976afb23948f466164b2

SHA512
5447edc5204574712e97b0baf1727b4ae8a4dbcf0528ca117d14d2cbef2e25423dfce00534b707e25f4de5c229a7df7fd83b0f3345f397875b7c9033f47334ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e294b5eda237aaf92caee702a864fb48

SHA1
5732d40e454ec57bf51aec52f790e4efb64e3cb6

SHA256
b7a08b611d84a7bc7e53350f7971dedffd370a20efd70190e39fa36714bb9009

SHA512
f399c47904aac4fd381ccb76236ee54105e65c1bfae00e830aa551a3431c55c4f6c83a9dc7b2900ce7dff02c42e8d9619c739518f027eba91f220f77dbe657d7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
34ccfd90c3c238ef30161daec8dbdd42

SHA1
69043ae754d1c16c23e37bfdea64f9037420a933

SHA256
89b4f9e05c05148d1f0f14674dcee15b5e766dfb4755b89591da5e6b822b8b47

SHA512
aefd979fccbe84ca21a2d68de27116ad350d6531ae93cca87551f56675c83c09b4bb771c2fefcdf030ef0d9d61874726a1d18253db64215a4752054888364798

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcc6b7a2c6df1c5555e980300a2f983b

SHA1
9f469dc2efe2f53dab1958c952036518e4853225

SHA256
30464d09236d03c4cfa8a5352d204b140da953b5a8954c790e20b5396928b65e

SHA512
d81479299e1afe95b3513894c8ae7b6f31389d5aa3766377e1fe3b969e6dd842095862d53d70cbb784603e6c4d53388a3524f753ac404b5bb63e1449891d4b0a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d56b532382c92230ec5b3e75bb2e440

SHA1
6658a1597e8b93c268c06b066a42937d1eb50568

SHA256
fa41f2e5b05d6531f96ae5baf96b63ea669cfc6b181c7ed13d8b4b01cd97b469

SHA512
acb904ced531245dde8ba81c8791728a3da01b9d66cd5e489e5c458e23bec2d3773b7b2db711531b46650f14d22050d700c8a174d310d0e50e84891f7373003a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
967d790890d099c6c45591969a698818

SHA1
b18d5d0ca992b25fa3f5f2f0cd15f8d456b15ef7

SHA256
9a17b7298605142725f08caf80a7db36b474f2b3309ab09e8aeb63f04ab3842a

SHA512
cdc75a1357e0e2a0763cae805546c0696fce49bc3aeb94219315579312d6c8036f9614914e7ec8535eed67b042ba47273678b9069af02595c4e3b5fc12c0f0b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61b78ebe7eef113de3b5fda6f1fa410d

SHA1
a8d6fc2f3ee3bc6eed39cb69225c7603271fab6f

SHA256
7054f4184ae3cc1fa74f5efdaff6a315a881e5cb3ffaef1925b3a241a44841be

SHA512
12e9ef97742678fe4718c38e45a7ea897558c4210d528ee88599098eda751e32018aea7db63f92f0613648e5273d609e13fddb541edd0feabf05cce02b4efdc9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8e04a6dc7dc6e5440497c640313fd51

SHA1
f2973b4bb581f8f6b45fa8c441170fa1bb531846

SHA256
f2a6c3a80f4d0272346ffb4679cec142279b2462f2db4a804886b95a7193df56

SHA512
54df1219c14afbf1007c364ef419a617e4f43889a406b5b4198772970589cc020bc3aba8fa2119248dd8b33603613378ce3e988f7858b700ddca184693f6f22a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55910f49a5c1605f86d8baff4ec53e03

SHA1
9b47a4cf17950be20a185668ee23d9c1f5f3aefc

SHA256
3ed7ef7a92d70472c5d2bde72750d8f3ba0dd8e7e439a244264ed06dda495e51

SHA512
d75fde7e2acc506c555a64eea51e21bdfd911e66130da459b0a4dcd928ce0d295e1a3fce64034c4d4289b5c0a4f5d0eb24569f7d09b28737d6d2a260667e8cfa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec49f9fcbcf303844c5beb3d2056c111

SHA1
f1ac31468041d4fbc835c01a72b2921c966a9486

SHA256
f7a14c8ff139cc3b7a65b32a5c82872403dc096a834940d1644e9b574094064d

SHA512
159c05c8035ac6af6918338fcbb64867a2ff6636b8e5f4504b99e9c18f2943889d270ba8ac9d2a82dc29f40ff3ae13439e81b6e3ae3b2ef61d7189b6d2a8ee5e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a684e75d3c36f47e0f6a0feb0183966f

SHA1
299bbcf7711a029fcc7dae998f8a6b621dbd7e79

SHA256
19905a606a45505bd932ae5a7d4e9ffb3d21bd24d3a596ad8bf6088447067bda

SHA512
98f39e704292eb4faed939775a36d209f652cf2d6c593078741ebc36f6cd41fca8a912615e085406a22894c65de7a4cdd8a6ce1ef652270151fe9cbd23acb312

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47284f51a12424b44241e616d801f629

SHA1
899c8eb60fba07c9852145c7f847007713e57542

SHA256
d047eb846dee4ed5614423640e1e969ce557567aaf2b1e4914508e7b10f3e6c3

SHA512
ecfbcb8d113653dd868001e995c536cee6a2643581f11d2e7a6713fec1807d6d55c0a997aab3561e4417633c5680c48827b8b33dda3e4d84f27759d0b85eb028

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d32127a2c2a664595e2ea1b8974b51e

SHA1
90d3765e500aec46e0f590c4766c2bd5b30264de

SHA256
e6bb2045a1dc176116ba205dfbfa6040f38ddf81472c29c6a664dc64dfcdeae3

SHA512
d136130e0f13b5299d5acb5adc7586f28c6305a0211748bddc85013206d646bee8659362682df53f82f0b7661b3b634d6c2c0d7b8e91230ada60edb4d64ffda8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
486e2dfb2c8df7194ad743f38131ac6e

SHA1
7bec47af4f721df77f0b39793c6509bafd7e686d

SHA256
5c14b8c35164c4a682241319c4dbf6ff909d715252028e73934fd4fe9c1bb630

SHA512
f264cbd8eaa39792abfe9f9a7a605e9843e54d65d3c96f45449ec449bbae110a4f2de211655c1d237412481574b2f8ceea23ec484a94f5209340ad30d02a1040

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d406cbe4a859d90b5868bb377a2d5459

SHA1
7be378181125f39b07c988772641387d88e8c381

SHA256
ccd144e08f4515ab823b7355afd05235cb1cedec2c2cd6fde1a45c260d434cc8

SHA512
22be2637ae2a20827f865a49c6ba882a4067e2359ba0f1450d477e008d80701e130dfdef6fbbcf9ebfbed7206ed6ba35bfd15525fcfcbe176b4f87730eaa4ad8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5768d8aa063f38558b53fde30945404d

SHA1
0a3ced39dc2ad625041ca5d4f1cb47a7b85ac8d1

SHA256
bc1e4b77d3f4062cd3b392d5ef13867b8f6950e2047c5f804b7df286acea40c5

SHA512
3a930676e3da93aa9bbb1d74f858df40c981f2c302c9d1327918ae0053983273a9a4e8cc57ff23db29f33555f527b44b15a08749866314f05ca2c9fc119e085d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
973d03da0126118061a9ad0884588882

SHA1
1c5df7c083102d2d39aae4a97dd7a1d0699dcf43

SHA256
d533845d93acadd46b774aa18a80ec070c2fb4e01b8f152a86fceb73777bb6f5

SHA512
aab0d05048028ab31f83d9d37c973ddaad187cccf62cd88657d7f7dd6e0b3e6d55acc3c3c99d2e047320592ebae2ddc20200cd23137b19775b33236459742996

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00bc6f5d73dadd4d0b3db4a359d59f8b

SHA1
b8f39b167fef61886f69f0829dcac4f7f750a980

SHA256
1cbea37628a9291c1c3e9007713571b105ebda766ef533029e416955cd8e9981

SHA512
710817740b2e82939a98d62ac33d28bcaf09ffbb315974c0dc8e1e8212089c7cd3dbc99a66ba330b56e219906041ec688c1f190f152138f4ae455f838ca4b89a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c0beebf13eac96dac584157787a1f09

SHA1
4aa6626436b91a5eb8318adf8195b730fbdbc8d1

SHA256
3d2758d47175992321ddac64412a65d6152aa148d15d2c7ceda3cd308a77541e

SHA512
1c3526bcf0ec173eb0fd349d4ebf0d815008c4a29b3fb37da753ac84e84e62370c1e60826aca1bd8addbfa7a7a1e2462fa5c0affdfbef4359509630ce8efe2e4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9227d9ab60be4d78b4c73c1d200edf2

SHA1
33ce6916284f02bf002cb80d13b693f759419047

SHA256
2cbf17c93681ea3cc1bef44b06685a5beb9454089b33ba2344658d1c84d91204

SHA512
9421d6aaee2b99a0000e6d88396b9405f9ab2d08a890a059c66d96564c5c5eb707f5434a18419efe7c83bb534b991b3d5cff945919fc6a84de774b32733e9503

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44b3584bb462f7bc9fbbd24c7239631

SHA1
4ddca0587116e85a0b3d70aebfe7750a518d0eb1

SHA256
046954a3c9928ee9fcd9bf1009f51c553448091c4b6b0e00f49f3cbe1a386cd0

SHA512
0489229040e5692ed6a773af228468836e86f353638a75e5a235175fc63b976ca4198c2a17565445e48c56f98a1cac42f03ec9246725e6a714d5892d3cb1f47e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4afcdde957c00b6c865b3b81f9f90456

SHA1
5023743e7d57e355825a2efe9fb1684d87d44524

SHA256
1a58299f833ed5181485d410526df39169eeb8708a89ecb8191b951180a16a0c

SHA512
80210137b95fd46e4aceea5b9197448f0ac98c1e5526959809e1bbf821ff25aa722d4b848010df54c5b224f16f587502caa63ff594114fb1c61697306e95dc2a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c30085d5dc00aaf55d710660454f49d6

SHA1
eaf72e798030dbd213d92b39535a248e70d31678

SHA256
56c7e429c09e35d2f0c0e4a97cfd36d9b4ecd586077fb58eb5cf4a07470aceb6

SHA512
77804b09ef9ec1aefc75e939c1d025202301a0f272a50bab916061a52c9ee4993f75442d37a4c4fab1cbd7f42e4ac670767fbc34d67b25d602eeb945194061f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabC8ED.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC8F2.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarCABF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwBCF9.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwBCFA.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\zqhjao.exe

Filesize
172KB

MD5
dded937a683c71ea3251bacd51ce1fd8

SHA1
686c7625f72a5d63e2957cb13c059dfccf01672c

SHA256
9f557ec2d82003805bb4ff078bf5943251305505f2094d3fca08d291f7db93dc

SHA512
089509167709e71f927b3613a80e46f0f6d77c6980e478e0a9ef3f980538f8e2ae8ca1eac3a930963d7927bc69456b47bf7666f4086525f35c1ee30ada37a0ae

Download Submit
\Users\Admin\AppData\Local\Temp\dded937a683c71ea3251bacd51ce1fd8_JaffaCakes118Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/580-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2052-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2052-11-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2052-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2580-28-0x0000000000300000-0x000000000032E000-memory.dmp

Filesize
184KB

Download
memory/2580-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-725-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-726-0x0000000000300000-0x000000000032E000-memory.dmp

Filesize
184KB

Download
memory/3068-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3068-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3068-39-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3068-6-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download