ramnit | 94a54e052116933d92151ba3308f6dadec8bc38d4c09d8664e9f30e63788cbcf

Analysis

max time kernel
133s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe
Size

653KB
MD5

014a67e0ee07f82c50a5dbc176a3aee0
SHA1

9bcf8c1b33c36cda327945b331f76c015aa3fc2d
SHA256

94a54e052116933d92151ba3308f6dadec8bc38d4c09d8664e9f30e63788cbcf
SHA512

88bf0194027fa155fea083c22b843abdf9d100b9eff29ff8762e50a39da151b2fca9fa7b696d8bc3ee278aaa0729567d1a3784d44ef7ee5e11c7de44a676a23b
SSDEEP

12288:QuVUpob/8OvHs3tbP0pvxkep5ZNGdJSeBoaB9L7:Qu+pS0+M3tb0pvaep5ZUJfWiJ7

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe
2884	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2596-11-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000b000000012029-10.dat	upx
behavioral1/memory/2596-17-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2596-15-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2596-13-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2596-21-0x0000000000400000-0x000000000045B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FC5ECE1-C720-11EF-A0C2-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FC5C5D1-C720-11EF-A0C2-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441774520"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3048	iexplore.exe
3004	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3048	iexplore.exe
3048	iexplore.exe
3004	iexplore.exe
3004	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2596	2884	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe	31
PID 2884 wrote to memory of 2596	2884	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe	31
PID 2884 wrote to memory of 2596	2884	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe	31
PID 2884 wrote to memory of 2596	2884	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe	31
PID 2596 wrote to memory of 3048	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	32
PID 2596 wrote to memory of 3048	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	32
PID 2596 wrote to memory of 3048	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	32
PID 2596 wrote to memory of 3048	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	32
PID 2596 wrote to memory of 3004	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	33
PID 2596 wrote to memory of 3004	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	33
PID 2596 wrote to memory of 3004	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	33
PID 2596 wrote to memory of 3004	2596	JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe	33
PID 3048 wrote to memory of 2620	3048	iexplore.exe	34
PID 3048 wrote to memory of 2620	3048	iexplore.exe	34
PID 3048 wrote to memory of 2620	3048	iexplore.exe	34
PID 3048 wrote to memory of 2620	3048	iexplore.exe	34
PID 3004 wrote to memory of 2368	3004	iexplore.exe	35
PID 3004 wrote to memory of 2368	3004	iexplore.exe	35
PID 3004 wrote to memory of 2368	3004	iexplore.exe	35
PID 3004 wrote to memory of 2368	3004	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2620
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8825a9b435a94d685e34b84b4807605b

SHA1
5193d43c40e61da3350c5822eae8aba2e8a23634

SHA256
7a23efebd1dbb8d0248c44c96ae6ee9c2c7ced2c82abc31e4b03b5644ef87172

SHA512
c74d35872b839813a67c4ef6ed0f351a2ae40244fd2b37eea60830c55110cd00a5a36d85670e76cedbc36538d25932d499576338dcfeb2cb0c4d7f36f30a98e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d4755d4298b2d3edfb531512cb045de

SHA1
ade268c4d1cc2857e79b401bc6a452e0bc244265

SHA256
bc913c5935f909af9ba354877ba67e1f61b8f01811f225af8eda761875acdded

SHA512
0b70f95a662ce8e30ee5cedce68ca38b49d57d1ed2fa087dfa1eca93e3c607703f49fa651a7577e291ead295f071adad1593962027a1f8d7a45b280091963621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6dea914fc086f52a1e28fe47abd244c

SHA1
9f4016ebb62e9d996a01ec3f6f0eafe7712171f0

SHA256
0712310877eb6e7cdd1518929e13c700fcfb46750e57b8c08f897f0949e72981

SHA512
7a1594527de86577cad388d51d44959188a2407ba26d464b2ae7762c80a5f07c456b9402a59a94cc9280323e9ed13f1d1a293a7d1f70c142fd5e47f4b79565de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c42a23c6d9e4238c1decd6e4a02f8c4e

SHA1
a5dffd338ac4c7116a4236e73aa99d631ff1f5d2

SHA256
e1cef81f6813677507c98743cba5e657d6a3d130b9346bb91d7760668f426a85

SHA512
44b100972de22a81d727ae87c8dae9447195bb8148c27feb80856c34a773ca5db1db24c225583ae0cdb297cce875318295ddf47849c5a3a7da4d2a31b08e4110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2f3bf474faafb1bc0d6bffc1a51bc9f

SHA1
f07242f540c55972e6a5531f9ca7cbbe84638785

SHA256
8a2f02e56693308333d55bf5c8691d39bd71abd3a7dbccc7adc9389f002c10e3

SHA512
4d351cb649c8f2e9343114a146083367f59be2e29a76e308a4d2422f8f8c757e0169485b72fd3584e019f1b1c8849e710827521800ffc84e8f1ba146c41e541c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34a8f619c4524ce8381d80b3076ff601

SHA1
b29676119d86e30df636d471747a3c5da1cc3844

SHA256
e5ec246b1f5c10b1d04bb20dff7a1e4ad14d9b1296ca5968e24afc3f1f37b5e7

SHA512
2f486d43f7df7b33cfd91239cdae7a0a8adb9e6ab165e98f8b0392e6fbd8346756d2656843b647aa8d63a3b49c0608eb5cb0257357f8fa6ad426983a415dad49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e33c62c3e12f43d0f25043cd3a650f5

SHA1
866491a2977238411dc3b15348f69627a03f3ce2

SHA256
e9f6295149d3f01cd3107679888c2e7bc76a07cf4b68a3a11ee64cbe6cc340cf

SHA512
3cc13c7476e86c182c7aca1937b242daaa8a9c63938d73b02128addd6941e7b70d9302dcc203295739b1dde973bd0eaab1c16cde44f551dbcf370f03ccfcd97f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc3229f59701325d59edc14448d315f5

SHA1
e99776c897dc48dc300c74673fc9db1a8f7eb66f

SHA256
d5c45412788509c804e506614f1cf30d56f345828424bc3c7e5749a7bae5946a

SHA512
d41539574b1697cb40e37f1c80be3aaad0f92ad4dd943a1ef622a411999fbe04150148bd3144f3a76bf959b91b3e942aa7610f25b3261150a44e536c10f862e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92e9fd9a387846642384db5d0aeaa75b

SHA1
e3fd1d4ff026857f6f2b7fc5941cc8e75fa98bf1

SHA256
d2cce41495920e3823c480dfcd69b93cab45b89cf436b285defe792cdedeb774

SHA512
146eda52eccbfefb80e0a26ba6fea7ce62e07834a48ccaf4151ce9ba1c8c8ce03f32044b7dbb176461a43ed5ec2677809073012109bb85465cb9c6b8013e3bb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c235874a8da4cdaa3fd11557bf91abe

SHA1
b462327a063c497c6ad8ac0f2c3ecec13135acad

SHA256
948ebede02e14b0a0b4fa295ce8637ac9d260249106322170b69bcd056bd4b1c

SHA512
830f50a4c94eef84c4edcb8a2f07d18728c22542be628ca22b9ec6c38c63e014e1b6f06b514962d7186b2d22cff36cb82f7e27b1ef0ed0f905284c546c05f4cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
453eefcce2f96aae29d53294989ffc6d

SHA1
c4a8f1b5b4f7c8e77f3976cfdb2def6015b1b549

SHA256
efb391a9718c49683a56aee217c842d9c2a87c5a3f9f78cf945559692ef2206b

SHA512
4f0da2ab2a107e896a5ded535053b767d86904ffcf32c2d8c13ee560ddb89ca5ae1952bca5e0940b33a8e51beb8a8cb0bf25fe816fb1c05bc00e6e2959e8d626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69b08c6d8908fe805866899fa835ec3b

SHA1
c09838ca55635afa18aa6022bff962ece668e10d

SHA256
38bef6f3004ca8899fbb170d3c53622330fde344b714fb71e55ade7f6ad2c033

SHA512
3f9ef74c37e270ad823f45327a01af1c3474611b2f1b50973d9ad2cc0f782b573c1edb132e1958c17ebeac7d5f72ad13885a4a7125ae8db6820917c68524494e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d93ee43ddecdafe11b91a9ee8d79be53

SHA1
afbae652a6a4c6df7822d5fe0763d6fba2987680

SHA256
103811944a0c553a329814957460f7de9083fbe99e0266d0859d68246f073de6

SHA512
50c8415fc42e5434231771b9a14e7419fb7fd6de58d1a0ac12dfce7431f42e111deacb8664a08c6d974d09b74d6665e6da5019988b2c3173c1bc7496b8de25be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bac0c600e7ef345e985c25720f38c42

SHA1
e558f84edaa0ba79ff83489f5a9414c24b4cc29f

SHA256
3c60c749aae4c6bd1f2b8dcc67e7a79f4c4d28969a740e6c65785825b3cb4f85

SHA512
306cf5bdd8f8a92d7c35d359339c09d356551dbff7c4aa51b17d4b0b8432a483eafad4831f62a29cadf0fdb40114367bbd09ea9b32b317e268cb923c1a7f8ead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
014a9a00325061df29fa081d6885aa09

SHA1
5b7dae280bd08ecd471c8efaea90ec28271f18d7

SHA256
2b3425a8b668eb7dbab2e2237da33d5a0ac76a651ee41f8c371c25aa2533b460

SHA512
a7b0609cb272e371335e3942939976a56f8ff909d77dbe4ab4b34f393f99ab534eaf8ba45bfecb9ce54249954211959e25d355779b26f7dc8b3dfa352063cbb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb240b733de2bf9b25574bd53fd258b4

SHA1
0e327bfcbb66da2082b943f28ac6c58d8457831d

SHA256
4014a25c9fe88bd3459137927fbebedc9f5399f5afd375337b203042b7e836ae

SHA512
d6e1c5a5f38593b47b3451d67b4a53fb7d1ea847a66504ad4ded4e35b80059aed83dd32f10fd3005fe699870d42bc91e606be053db0afb2f6aa1795a94d9f6db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23e637501ebc164158da43bba481f5e9

SHA1
d5e02521839f4624d9dd66027d6f1a6008533456

SHA256
aaaae251c9cdd32dee58e85e0e72b03159b4491c103bcd445adf2be9343f57fa

SHA512
ac2d9350dd768b3de375ad12ca643b9f635a2d30be2995028764207d26a244bf11729acd1a1c5953decd7a4b8a68892c0ee33d269eeb0d382c214cc30ee77c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a0916b23c01ed800432aa5bab9e0a4d

SHA1
6a0598f73a3da5f6efa8b13c509ffc5fcd88ad54

SHA256
3b86afb8f0be57e36b6b2927506a5d7baa8a6784db5603355b3d8fce55e963e3

SHA512
1fef26e87afedcae00a919576af88feb02b3539c43be862819d75cf39e464b5f71f981912e7c522ff279836440d8f460252297a350c6a41367ef7a03415d95da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2FC5C5D1-C720-11EF-A0C2-62CAC36041A9}.dat

Filesize
5KB

MD5
d64e873e239acc53d89957f9a01c2dd4

SHA1
b7160ee6f4da16b27aac43aeb88bb662308713b9

SHA256
1c2e25d11d4acc07e1ac229160fbc9e774a91843cfc9603541d096c6e4f3323b

SHA512
65f9be14a71c868434f8e42f19c99316258b0fe51dfb201a3652698c31ad20306fe50d371b237ccd1da6537f401392194b29d614e783090e374c4a5f88bfe4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2FC5ECE1-C720-11EF-A0C2-62CAC36041A9}.dat

Filesize
4KB

MD5
9f4f160cfb3bafe874b2156a919ac0b9

SHA1
8fa7588f48f5186427edbbb1f5df24e556c33a4a

SHA256
d2f5a2ba9994dc68f60199efd3fcc87e0b87a13c659d8826d9a98b6f746a1232

SHA512
b74b75857cac211412e5cc5fdd455b697c8ad90df20d6b7f2bd6dd89eea3162bc523897c3cf77884c1a5ea32d1adc3d372c8989c449d0e9e6a1bf1b8793cef0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7BD6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_014a67e0ee07f82c50a5dbc176a3aee0mgr.exe

Filesize
127KB

MD5
25ce9982b3fc6e957bcfcebc66aa8605

SHA1
03776bb5318cad6bfd7cdfbf31a690169e760083

SHA256
3b83191d3025fb6690bbe15344846aed16d4241f499ba9d1e8e1f4227d423183

SHA512
b42d9793a40e2be498dbabce31dbb483557f343547474b78da359383923c3b0d16cf6444eeb82dca0db98b77238aba0a3bdbde45e0f8de8a0cd16ccb27a2da49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CB5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2596-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2596-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2596-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2596-14-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2596-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2596-16-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2596-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2596-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2884-20-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2884-8-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2884-9-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download