Overview

overview

10

Static

static

3

ea69cbd4ce...18.exe

windows7-x64

10

ea69cbd4ce...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    ea69cbd4cef47b051db7a16308ec764b

  • SHA1

    d6e3a85a10e31876a2ef250f85a66f91bf21293e

  • SHA256

    1abe45aa3042f4085101cf285a456c80c9e6f0189a6965e440c9f8ca33d99304

  • SHA512

    310ff8e047d557770124bdcd9180adabe290793528e7e13dd9990b0041ecaac17c44f53d5f31df833a64843592f453fb8f06ad2df5b839b309d2ed5021176ee3

  • SSDEEP

    3072:1DahPBarKpbqAC3gNFmfnAZ1+cpVZX8nLlKSI7da0wL7MI:AhPBarKptTmfAZ1QnkBaXL5

Score
10/10
ramnitbankerdiscoveryevasionpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 32 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 33 IoCs
  • Suspicious use of UnmapMainImage 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:2452
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 208
              5⤵
              • Program crash
              PID:4536
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:2896
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2556
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:82946 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1300
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:214018 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2332
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            PID:4452
      • C:\Windows\SysWOW64\dllChache\Empty.jpg
        C:\Windows\system32\dllChache\Empty.jpg ReStart
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:184
        • C:\Windows\SysWOW64\dllChache\Emptymgr.exe
          C:\Windows\SysWOW64\dllChache\Emptymgr.exe
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:1436
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:3300
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 204
                  6⤵
                  • Program crash
                  PID:756
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                • Modifies Internet Explorer settings
                PID:384
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                  PID:4736
          • C:\Windows\SysWOW64\dllChache\Blank.doc
            C:\Windows\system32\dllChache\Blank.doc ReStart
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates connected drives
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:264
            • C:\Windows\SysWOW64\dllChache\Blankmgr.exe
              C:\Windows\SysWOW64\dllChache\Blankmgr.exe
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:3552
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:1952
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  5⤵
                    PID:4292
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 204
                      6⤵
                      • Program crash
                      PID:4912
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                      PID:4208
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      5⤵
                      • Modifies Internet Explorer settings
                      PID:2844
              • C:\Windows\SysWOW64\dllChache\Zero.txt
                C:\Windows\system32\dllChache\Zero.txt ReStart
                2⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system executable filetype association
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1716
                • C:\Windows\SysWOW64\dllChache\Zeromgr.exe
                  C:\Windows\SysWOW64\dllChache\Zeromgr.exe
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of UnmapMainImage
                  • Suspicious use of WriteProcessMemory
                  PID:5004
                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of UnmapMainImage
                    • Suspicious use of WriteProcessMemory
                    PID:4988
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\system32\svchost.exe
                      5⤵
                        PID:1988
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 204
                          6⤵
                          • Program crash
                          PID:4924
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe"
                        5⤵
                        • Modifies Internet Explorer settings
                        PID:3456
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe"
                        5⤵
                          PID:4264
                  • C:\Windows\SysWOW64\dllChache\Hole.zip
                    C:\Windows\system32\dllChache\Hole.zip ReStart
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4008
                    • C:\Windows\SysWOW64\dllChache\Holemgr.exe
                      C:\Windows\SysWOW64\dllChache\Holemgr.exe
                      3⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of UnmapMainImage
                      PID:904
                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of UnmapMainImage
                        PID:4316
                        • C:\Windows\SysWOW64\svchost.exe
                          C:\Windows\system32\svchost.exe
                          5⤵
                            PID:3288
                          • C:\Program Files\Internet Explorer\iexplore.exe
                            "C:\Program Files\Internet Explorer\iexplore.exe"
                            5⤵
                              PID:680
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe"
                              5⤵
                              • Modifies Internet Explorer settings
                              PID:1116
                        • C:\Windows\SysWOW64\dllChache\Hole.zip
                          C:\Windows\system32\dllChache\Hole.zip ReStart
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetWindowsHookEx
                          PID:3376
                          • C:\Windows\SysWOW64\dllChache\Holemgr.exe
                            C:\Windows\SysWOW64\dllChache\Holemgr.exe
                            4⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of UnmapMainImage
                            PID:5040
                            • C:\Program Files (x86)\Microsoft\WaterMark.exe
                              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                              5⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of UnmapMainImage
                              PID:2600
                              • C:\Windows\SysWOW64\svchost.exe
                                C:\Windows\system32\svchost.exe
                                6⤵
                                  PID:344
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 204
                                    7⤵
                                    • Program crash
                                    PID:4612
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                  6⤵
                                  • Modifies Internet Explorer settings
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3524
                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3524 CREDAT:17410 /prefetch:2
                                    7⤵
                                    • System Location Discovery: System Language Discovery
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4592
                                • C:\Program Files\Internet Explorer\iexplore.exe
                                  "C:\Program Files\Internet Explorer\iexplore.exe"
                                  6⤵
                                    PID:3420
                            • C:\Windows\SysWOW64\dllChache\Unoccupied.reg
                              C:\Windows\system32\dllChache\Unoccupied.reg ReStart
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of SetWindowsHookEx
                              PID:2596
                              • C:\Windows\SysWOW64\dllChache\Unoccupiedmgr.exe
                                C:\Windows\SysWOW64\dllChache\Unoccupiedmgr.exe
                                4⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of UnmapMainImage
                                PID:1960
                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of UnmapMainImage
                                  PID:3636
                                  • C:\Windows\SysWOW64\svchost.exe
                                    C:\Windows\system32\svchost.exe
                                    6⤵
                                      PID:872
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 204
                                        7⤵
                                        • Program crash
                                        PID:116
                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                      "C:\Program Files\Internet Explorer\iexplore.exe"
                                      6⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3724
                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3724 CREDAT:17410 /prefetch:2
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1976
                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                      "C:\Program Files\Internet Explorer\iexplore.exe"
                                      6⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SetWindowsHookEx
                                      PID:244
                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:244 CREDAT:17410 /prefetch:2
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2172
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 3300
                            1⤵
                              PID:2268
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2452 -ip 2452
                              1⤵
                                PID:4896
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4292 -ip 4292
                                1⤵
                                  PID:4464
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1988 -ip 1988
                                  1⤵
                                    PID:880
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3288 -ip 3288
                                    1⤵
                                      PID:2604
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 344 -ip 344
                                      1⤵
                                        PID:3516
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 872 -ip 872
                                        1⤵
                                          PID:3632

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Reconnaissance

                                        Resource Development

                                        Initial Access

                                        Execution

                                        Persistence

                                        Boot or Logon Autostart Execution

                                        2
                                        T1547

                                        Registry Run Keys / Startup Folder

                                        1
                                        T1547.001

                                        Winlogon Helper DLL

                                        1
                                        T1547.004

                                        Event Triggered Execution

                                        1
                                        T1546

                                        Change Default File Association

                                        1
                                        T1546.001

                                        Privilege Escalation

                                        Boot or Logon Autostart Execution

                                        2
                                        T1547

                                        Registry Run Keys / Startup Folder

                                        1
                                        T1547.001

                                        Winlogon Helper DLL

                                        1
                                        T1547.004

                                        Event Triggered Execution

                                        1
                                        T1546

                                        Change Default File Association

                                        1
                                        T1546.001

                                        Defense Evasion

                                        Hide Artifacts

                                        2
                                        T1564

                                        Hidden Files and Directories

                                        2
                                        T1564.001

                                        Modify Registry

                                        6
                                        T1112

                                        Credential Access

                                        Discovery

                                        Peripheral Device Discovery

                                        1
                                        T1120

                                        Query Registry

                                        1
                                        T1012

                                        System Information Discovery

                                        1
                                        T1082

                                        System Location Discovery

                                        1
                                        T1614

                                        System Language Discovery

                                        1
                                        T1614.001

                                        Lateral Movement

                                        Collection

                                        Command and Control

                                        Exfiltration

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                          Filesize

                                          471B

                                          MD5

                                          030d28178ec890f0d933359dad23da1e

                                          SHA1

                                          5fa5195ca05aea5caaf471afbcc2fd039876f3c4

                                          SHA256

                                          1e40a11d7943a7924cacca9632fa6dd8bd24fb1072cb61e64f9033ebce74806b

                                          SHA512

                                          0a4d2a2dc387cda5c4a2545d416aa40eaccc7f0176861c2862c0a792970282189548309263d0937913a9e8be8105074a8d7129b87e277db68a0efbc57f3030e6

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                          Filesize

                                          404B

                                          MD5

                                          c4cfbc3c9a39b6aab3b06d5de2293b7d

                                          SHA1

                                          82470a3c806e30e302d4bcbf9c84116df0238683

                                          SHA256

                                          f9b968a009f9b6d29077994783e9fcaabcd108edb9b3262c9bb8fb6559376d82

                                          SHA512

                                          463bd2fe641494020215b31b61120eded85bfbfbf6ab67f7c2dcaee0d0965348591596c1a52319b67b72ab559430d8c6ff8f371c701c21582b2d0d93b3c91e3f

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5CC92F1C-B91E-11EF-A4B7-520873AEBE93}.dat
                                          Filesize

                                          3KB

                                          MD5

                                          05ea76e8f4b0ad4c3ccd2fddb4682743

                                          SHA1

                                          babf3df3e85bea0648a22d6c873b24b1cc96fe26

                                          SHA256

                                          a356ba0b63404e89cd2182d1319eb24df5d8fb3159bb7063600167c1988f5746

                                          SHA512

                                          b604a7681aff0c18aa2edbb0d90627af37f39e60f3d023bbdc8466e912c1bd1e3a78cbc73c8b88582d14e13d51d4f0cffa4d8b132c21572236296cff8df63809

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5CE10791-B91E-11EF-A4B7-520873AEBE93}.dat
                                          Filesize

                                          5KB

                                          MD5

                                          a561d1421c61cdbfc8423914b7dca3bb

                                          SHA1

                                          ed3b3e4c4eb2cae29cef259b736cde1a9d8adc77

                                          SHA256

                                          4406d6c660376776d08e2d937760c8152f59ec863dae022a2a881ed1b66e7837

                                          SHA512

                                          696fbe336d7968dd6ddcd5303522b1dc59984de56869280ce5422502175ba298adf9247133e908a77098c4ea5be25ac0bb8a27b333e9dbe44cb62fb9b72f1ecc

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5CE36AA6-B91E-11EF-A4B7-520873AEBE93}.dat
                                          Filesize

                                          5KB

                                          MD5

                                          650dca988acdab68c629819670b1f288

                                          SHA1

                                          151c88b9ed89bae1d7d562b3f195ed2303710504

                                          SHA256

                                          0897126d7f3f5fc2855427b606897cb9ddfd074a09fa10e19d1041b430d6fd27

                                          SHA512

                                          edee830174417e0ee398913f62801393f06ce5499ecd74de4ff5d9c279b19cb6d4f0e5694a04cb5f31256f421f7321c3427e833dd108ada342d7b8456b5306ac

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
                                          Filesize

                                          17KB

                                          MD5

                                          5a34cb996293fde2cb7a4ac89587393a

                                          SHA1

                                          3c96c993500690d1a77873cd62bc639b3a10653f

                                          SHA256

                                          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                          SHA512

                                          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
                                          Filesize

                                          60KB

                                          MD5

                                          f4f27869cdedbb0d9d1996d33be2c8a1

                                          SHA1

                                          277b2df1585794b40b51053af2aeaf88ce40474a

                                          SHA256

                                          1c81a61ce416989fcdc5a72585933e60f68a21d952733afd65092156c3c253a1

                                          SHA512

                                          8656ba9d9618954026fee9ca48d701b10d336eba0549ad506bc91df26b647be1db265062112a4699ca554c8dda2c7a4706055474cd0b127eefff1086c840dfd8

                                          Download Submit

                                        • C:\Windows\SysWOW64\dllChache\MSVBVM60.DLL
                                          Filesize

                                          1.4MB

                                          MD5

                                          25f62c02619174b35851b0e0455b3d94

                                          SHA1

                                          4e8ee85157f1769f6e3f61c0acbe59072209da71

                                          SHA256

                                          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                                          SHA512

                                          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                                          Download Submit

                                        • C:\Windows\SysWOW64\dllchache\Zero.txt
                                          Filesize

                                          108KB

                                          MD5

                                          ea69cbd4cef47b051db7a16308ec764b

                                          SHA1

                                          d6e3a85a10e31876a2ef250f85a66f91bf21293e

                                          SHA256

                                          1abe45aa3042f4085101cf285a456c80c9e6f0189a6965e440c9f8ca33d99304

                                          SHA512

                                          310ff8e047d557770124bdcd9180adabe290793528e7e13dd9990b0041ecaac17c44f53d5f31df833a64843592f453fb8f06ad2df5b839b309d2ed5021176ee3

                                          Download Submit

                                        • memory/184-105-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/184-66-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/264-169-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/264-106-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/904-180-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1436-96-0x0000000002830000-0x0000000002831000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1436-99-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1436-132-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1716-209-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/1764-259-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1764-67-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1764-79-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1764-76-0x00000000777E2000-0x00000000777E3000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1764-98-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/1764-69-0x0000000000900000-0x0000000000901000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1952-140-0x0000000000A20000-0x0000000000A21000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/1960-234-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2152-64-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/2152-0-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/2452-91-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2452-92-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2560-10-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-11-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-5-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-8-0x0000000000401000-0x0000000000402000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2560-14-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-15-0x00000000008B0000-0x00000000008B1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2560-21-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-17-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-9-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2560-16-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/2596-210-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/2596-253-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/2740-80-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/3376-247-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/3552-120-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/3552-110-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download

                                        • memory/4008-239-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/4008-161-0x0000000000400000-0x000000000042D000-memory.dmp

                                          Filesize

                                          180KB

                                          Download

                                        • memory/4988-155-0x00000000008D0000-0x00000000008D1000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/5004-144-0x0000000000400000-0x0000000000421000-memory.dmp

                                          Filesize

                                          132KB

                                          Download