ramnit | d1ec457eab6fdee6069a68b7254d285da85b58aac62202900daf8f9622be09f4

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
Size

176KB
MD5

60eb23fca4d131d362b8e39c0325bb00
SHA1

ef3519f410b08480d2f8be81717a973cbf2826af
SHA256

d1ec457eab6fdee6069a68b7254d285da85b58aac62202900daf8f9622be09f4
SHA512

8f0e4d46385035921c19a55b07b0d987fd268a0f2ce0b5a8ab7584dd3bf82d5ba961d38a21ed2dd562ef0a4ccab938ba3be0c40bef0651563568a6b444012854
SSDEEP

3072:5APazUfD8iJDZnxrYudpi78EfkE10q/pMIi9x:5+D8ivxpg7V110MWhz

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000120fb-2.dat	upx
behavioral1/memory/2828-14-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2828-18-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F3B29B1-C88C-11EF-9188-62D153EDECD4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F3AB481-C88C-11EF-9188-62D153EDECD4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441931043"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2928	iexplore.exe
2800	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
2928	iexplore.exe
2928	iexplore.exe
2800	iexplore.exe
2800	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2828	2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe	30
PID 2780 wrote to memory of 2828	2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe	30
PID 2780 wrote to memory of 2828	2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe	30
PID 2780 wrote to memory of 2828	2780	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe	30
PID 2828 wrote to memory of 2800	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	31
PID 2828 wrote to memory of 2800	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	31
PID 2828 wrote to memory of 2800	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	31
PID 2828 wrote to memory of 2800	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	31
PID 2828 wrote to memory of 2928	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	32
PID 2828 wrote to memory of 2928	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	32
PID 2828 wrote to memory of 2928	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	32
PID 2828 wrote to memory of 2928	2828	JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe	32
PID 2928 wrote to memory of 2616	2928	iexplore.exe	33
PID 2928 wrote to memory of 2616	2928	iexplore.exe	33
PID 2928 wrote to memory of 2616	2928	iexplore.exe	33
PID 2928 wrote to memory of 2616	2928	iexplore.exe	33
PID 2800 wrote to memory of 2648	2800	iexplore.exe	34
PID 2800 wrote to memory of 2648	2800	iexplore.exe	34
PID 2800 wrote to memory of 2648	2800	iexplore.exe	34
PID 2800 wrote to memory of 2648	2800	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2648
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eb284cf859c94711d023964cd001aff

SHA1
8d434eacdf7141c7dfdaf9ece823433a8dfe9306

SHA256
35c469f41d06609ee271c96ec1accb8a0a7bbb2ce612ec32d5377398b03dc8f8

SHA512
5d80a8035267d4f852fce4bb73040b4e9cfa2132cf2ee8da351279ec27ffef4f5f8e1ab8b07ff721153e6ee0023853b7f969c40dab7861d55e4f1a569ab7e7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fbf7eb1d83ed335d399d6a47e7071a4

SHA1
da094c571c0bff130cc1c17686360e9b7b4e07b4

SHA256
be688cfad2e522ea996557bda13805229d858f73b506904371f1627eee71494a

SHA512
fa047543e896795e1dfc652b30f3c031041a82ad91620366f2277d7322b1ebb2e203a40c0e0f673192e98b0c5af03c8d8408ed26943bc503d7247cb7c0221048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dd9052c014018559397b4e4295e4568

SHA1
be13c1712c627e344847d17b18dea6109014c051

SHA256
bbbe73fd8e28a59f80cb5810d700b7f04f2d2a7b691acfcd78107c1e1fb9fbb5

SHA512
bc3bef9b7f2a2c5c4e00eb64a8a2855742aeb29ea987e3718f761d95373755cb67163df414650453b8c5fde6d4ac5a3d4e2a6906dfe0c72c4733719580784644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b12c807f225a236d4436e5759578429

SHA1
7f88227338f2ff5bc978108ef1514531f9eb26e4

SHA256
7cf03133fba36c46dc3c36cfe155fa8697e27b8e5865416f2fa2eb6585fdcbd4

SHA512
3d6c7b8bc0767e8d61a1bdc50f788e32e56b914a149b0b7569bf7df75cd3ee0d521a63c16627de2947a6ffe0412efd48b9ff25e75e36bc1ce7210a90b25cba78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
440e7fe62b298a4e6020ee40b12d86c1

SHA1
4e873b14ec49c968c9f9f5a9a8c34dfee25dc9bd

SHA256
aecf406ab6c7f680b9fc53da44075dad9ef1bebd0a83dadfd1e972d2ee1dbbad

SHA512
56ba7d560c350079fcba0fa564c57586431709ae47c6fd82045a9be9625624c74b5c0db57c18d0c4a985f36249690c0077349b4ecd2a456f450191e02348e850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f053ff78173b18c408b13afca4f061c

SHA1
f76333a2fd54e23202f57cc1c85b485484382eb0

SHA256
64357e15a8ea1c96808f01cd0887b784bf9cf5b2c091eb37740e5d212f6de48c

SHA512
f63a09e3f2b9635232dac752d61d009ec61a1cf973e18ed3cb0b628c1be00d5bb9fc1df3abd0e4873ed0872a1d4b576995bbc96c5055f41a50309e73b9c9fb9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc7bb8b9e5b1bed50383a219d8c360c0

SHA1
d35e49a563c9e91a6316cf8abe4d11993c993d7f

SHA256
e47c2a45076a545e7c6301eecd323666dcd7c404110bdc2157580b6db14bce9b

SHA512
82cafb47eb74c1c028956ba40397da7952c8417128bd3ea2b55d4e68df4fa461b9b31f458fee76b288b4dd5b60639750e9bc86c33eafd2fd97a871d266df0be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
272dedb026b4901ee438613c9b75ad36

SHA1
b7c0be99a2bcfb87b1245a8d12d6470f7c717fba

SHA256
5673d105836912813296911f1605ac043cc179c170d5b283f3bea5660650af8f

SHA512
73821fea49107b941551364124903a48821adf4026ff1dfaaccb4fe1f16b90d608fe36036f813ed1a3a947666fd9fcf292b1357e44a6bb117a2eb7540104ce7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61a0118e358022da5118415d7ea09d68

SHA1
36d0adb1ffa9e3cd221a0c94d83afc0b95fd347a

SHA256
7acbede95fd9a9ae0fc65a0ec59ac661683bbd2f740fcf646a85442e5408c97d

SHA512
1457071a31b369fe57b4c1dbda407454324b4e6db22459e1c82347754db19073de2cf6733d4edc8a6388fe15cb5519ddac38dff652c03f77f7dd734caeb1efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26086b9f911b9c77745978a8342a642d

SHA1
9215b144c2c279eb5eda858554c1477ad9689de2

SHA256
d73b535f3f130d4cc1fda84d512931d1e2b2fc51c9e53480874f201457491748

SHA512
0810ee8f3b6978c275740acc3b6ca5ff907dc6b0542b5d26b43fab246f0e32ccdaf329fecf07c0ad46dba74389a1e43c8788d9ef9f03718acd183dadeaa89f53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ea7043b6eee9b4a57c5384f1edd8f9d

SHA1
1842f1657a08352cf5f424dee8bcef2bbba488d6

SHA256
e6fcb0cacd840a40dbeb199505f0bbb013163d83c10eb06ab9f5125cb0bbb996

SHA512
11acdd2b5118294e6fdf8cb4a31f4e8e747e33b3a4c754af47a254c311c0bf5d805e37a4661403b20671b49f21483c4de0e8efc6a616728030bbd28b19974ce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4edbf6560fec2017e78b7c29159ee0e

SHA1
983ed99472c34faa61a2646a60b00393f3fc1cf5

SHA256
d4a963aa24d8c373465d42b85240c1eaeadc4efea5ae6e5a5399448b4d96852f

SHA512
54549ee1f9ae6e65e5c4fe24a4495d9674fbc3ba4d6a397fc31ff8584b9d487f402611964eb1789ebf85f53081e432960912046c987ffedd820d76dd7bc2cbad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2e94889b79489f08b62b83599b7ff74

SHA1
fef22d825e2274fc4a52c95984a7214c9602a0cd

SHA256
e4cfc7295d64b9bd3043846a008bf69edd2f2d52f84ca201e0966fb1185f2318

SHA512
9268c4873d5bd450e6cc6b1e24720e4ad01c32291112538644e9abeee86c03208335b3ee3fa88870b602fca07d5b08d192434f4c8cb8b163937fdff1cdb02a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90addb2c0c8801979c6c0594ce67f0c

SHA1
4726380ff6c10eabaa221467e46b5876db5702fe

SHA256
90d02b087185ae216dc18d391897ac604fc7833eb2cf101998a454c764bab94b

SHA512
87f87fb489927df64a5577ca76a75b4ab542ed89f83553a7f43815948b00a8b41f91d93567dc8df306e04575a04cacac15b8538beb33d5acbd460fe19bcd302b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86bcbe988bd282b997d8e38b4500354b

SHA1
146e710eaa4265e4671d2e73dd9b05eab92b2a84

SHA256
3e1150e10e68d909d41d0b03bce1b558138f925126c786d8c81f3f19923db496

SHA512
c9c34d3a2660340765f59b0f83149a38ea1f74ee2e7409d17d1aa0517df8f54d3b659bc6112223e64eb8f8804c93b7e28d801671c9235ae390f12796bcb48506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c628f5297c5dfd6ea4f3cbd5328bdfa

SHA1
0bc9cc8e00964926d64125685b8e48f9e4466082

SHA256
9ce4f9e9c188778c0176ea9e4637385f862342794f335a74d0bd69bb533f3097

SHA512
270a7c2ae8e0334c587995b3eedd21d27e3950bb95f902808887a54a03c141821172def6b645895609d618a8b7a5921d5063b1bc197906a042d94b414961a446

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e21c29fc4bf9b369f0d9c8580f495c8

SHA1
c84af7ec494e5f7f9df2d5546b8edb6373c62a75

SHA256
851d20635fc280ed928d9b2e9a87c49c2991e911d2949e9496594acb648d07ab

SHA512
954274c232df1c6c293eff8be77ff2ab23732d266adf4e1ccc8a37b853b2eac4a498710d1824e71cd03ce94c3ad5eb1b5d9554ea4dba6384b0f29f4da40a7984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68bd80dbdff4357f103ce43154bc0feb

SHA1
c592e1eee962d2ebb19eb45a35d5fcae53732cd9

SHA256
39a5a13842f7b3422cb951d59f6260c4912fc8a7ed7fff60253b2773c4d50471

SHA512
ebddf7ef55a7b728f3c5d14910d1276d28fe8937670a24a5f886ee08ecb6981dd06bce65322abd258540d23eecab290a1c2ed6e3aadeaa5bbb6183ad5a1c559a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6377a3349ff9ff6878320b5b455ada68

SHA1
63bcf0ef793f5d583bbdec874120ee415b1141f0

SHA256
5524a92f99e21f7087fe7addcc29d2e2ec19b63a51350620210cacce1c8947d4

SHA512
b25fcb4e493496e6daed06b8be1447d303e55787dc90723a1c08d122b8b7d363cec6c27ace86401ae3ca9214030d626b1acf0f4cbbc6844c785332c283e0bb42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F3B29B1-C88C-11EF-9188-62D153EDECD4}.dat

Filesize
3KB

MD5
c4d5ec17a7a44d9c18961f9b5d28e093

SHA1
56fe092565ebd64d4ecc00b7e78d03b33805badd

SHA256
4450f78c60b4489f8314b511d25a2255a6ea3a32eae4964c1276a4147861e684

SHA512
a32efee6c6448cb63c297786b79c0723fbf3c9dd4f879085cd0f86c1b9f8508290dc49f6b8f866b6003e07918fcce7297ae3f4f44db9aa85c63ac4ad037acd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3C58.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CC8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe

Filesize
153KB

MD5
63caaedd9675796966020d2fd7ac9f3a

SHA1
2966ab246e9c8d926f61c91a7e5dd80e7798d7e6

SHA256
a5a5d6ead6799377d947f0d77be21b1d79ca54fda2aa0ed2e1eccb14bd4d465b

SHA512
4e811df6f0b890e462e203c07597486728f2342d9f5230509be681231844a59db0ab1411e5e8b382da60eeee16c9dddc7a1199e2d37335f86891db4549cc247d

Download Submit
memory/2780-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2780-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2780-16-0x00000000022C0000-0x000000000231D000-memory.dmp

Filesize
372KB

Download
memory/2780-9-0x00000000022C0000-0x000000000231D000-memory.dmp

Filesize
372KB

Download
memory/2780-8-0x00000000022C0000-0x000000000231D000-memory.dmp

Filesize
372KB

Download
memory/2828-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2828-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2828-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2828-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2828-12-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download