ramnit | f766cbd8564026033e984d122f424371ca8963c3a7972409dd7ed59a52f5bb74

Analysis

max time kernel
134s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
Size

178KB
MD5

45ee1a36449171fb2abb41a4ecc38a10
SHA1

af4e344281980bbac2c1cbb191df663bd55fb232
SHA256

f766cbd8564026033e984d122f424371ca8963c3a7972409dd7ed59a52f5bb74
SHA512

d661f1ea0a4a26cbd9b786e24baf6d7c3de005c0c2bb5773b127ae0e9cbb3ad16adf30e542023122a4af97687e6715487e291bf2581142eed35fe0b7dbea25a2
SSDEEP

3072:akAwOzhjdRmSZiAqFbrnp+KsYGngDrSsi5LNURwM/0j4IJqmxOilu+jGvCsfe4mS:+w8h/7PCkKsYGgDrS1L2wDMIgmxBuKM7

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-23-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1292-21-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1292-22-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1292-25-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1500-12-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1500-11-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1500-10-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1500-9-0x0000000000400000-0x000000000041A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A1EF2481-C7F2-11EF-8BF0-428107983482} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441864906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A1EEFD71-C7F2-11EF-8BF0-428107983482} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe
1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe
1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe
1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
Token: SeDebugPrivilege	1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3068	iexplore.exe
2620	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2620	iexplore.exe
2620	iexplore.exe
3068	iexplore.exe
3068	iexplore.exe
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1292	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	30
PID 1500 wrote to memory of 1292	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	30
PID 1500 wrote to memory of 1292	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	30
PID 1500 wrote to memory of 1292	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	30
PID 1500 wrote to memory of 2620	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	31
PID 1500 wrote to memory of 2620	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	31
PID 1500 wrote to memory of 2620	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	31
PID 1500 wrote to memory of 2620	1500	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe	31
PID 1292 wrote to memory of 3068	1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe	32
PID 1292 wrote to memory of 3068	1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe	32
PID 1292 wrote to memory of 3068	1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe	32
PID 1292 wrote to memory of 3068	1292	JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe	32
PID 2620 wrote to memory of 2652	2620	iexplore.exe	33
PID 2620 wrote to memory of 2652	2620	iexplore.exe	33
PID 2620 wrote to memory of 2652	2620	iexplore.exe	33
PID 2620 wrote to memory of 2652	2620	iexplore.exe	33
PID 3068 wrote to memory of 3056	3068	iexplore.exe	34
PID 3068 wrote to memory of 3056	3068	iexplore.exe	34
PID 3068 wrote to memory of 3056	3068	iexplore.exe	34
PID 3068 wrote to memory of 3056	3068	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3056
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f7c881fb31e1c12e771605b6a72ff5f

SHA1
ca3cb1795fc81eb095a56eb2afeddd7ecf5d48ac

SHA256
564ddfbdb532e949eec4365497cd1296523f1c0dd36811234352c63485ebfb28

SHA512
ad713b85f6a374d4e1a0543d18fe86c704a4b2e5d722a73a54d58f146f236b1639357197040a1aa3f9a01900e11d730c4d34b9328f618f48e87f8d76c02fa2fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2750e5a90d66b27cc7d210602943f065

SHA1
ece53e03242a30010603f03e3295250c1239dca9

SHA256
9decaa7a3bfcbe0755dbeab01a35ced72a5d492a1e1a1918428ad7d846812eff

SHA512
25542d48f94a31198e4da9904d5a390a464358f4472d22703b661dcafacfcd9e8d5cc7a6b4836afe634a6b090d8184ac761eadb0377c20a0d953d91eb772da92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
290bcd29c1e28246b61cafd6f093f9cf

SHA1
cb4a3d1d143c0cf3a310fa20a260f9c156f476f2

SHA256
eb72aa407630c6057578c19be7cf7e30cd25a5746baaf045de588eae7e982195

SHA512
d744349187c9882c4260398c5b27eb1ff5fb8da8838189d827941c39ecf378f2bf1baca49e5a662e7979c2ebbbb341ec773d486ee61ceee5577164dd428ff68f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6b6c3ea35b142988f8c53887efebb02

SHA1
571db1a92e963efc1d943f00ed690a6c0f88d3dd

SHA256
8f541c6a8fd59e900969e4927b8474a5315d9bf4a6eaad5770f7384cff6754c0

SHA512
fc0c9d133cee7b42214495b92b515c57e96bda5ede5ec57cbecc8b4fd81b42b31adc18bbbb1061b55c9b7f243f7742b9e2319ac3a497a55e57c94651022c6267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8e9c4fa1494d6b6c7936babf77c135a

SHA1
eeb6a3892f8824a6c2128a99d4f10c86cb6d64da

SHA256
1411aa9d042bcff958bc7bc7441d2f9d0dd0821c46dd0710d78d749cac9f9bce

SHA512
57d8817f3d067e1d89f5d31717dba32fc9313a583d997597e7bd69b69921a2bf8898ee29031ea8c826798f24ebb223215f81795f785b9182186dda87d5f19dcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4af4b1f1670fa0be63d12ee430c91b3

SHA1
f9d1384bc6d4a99542b4dd668a8df7a16711160b

SHA256
729c63d6966e435a092cae6d4df9ac7224588487193ed689480d6e3484e529ce

SHA512
4726e10c91ad0cb41caaa6b2bb376fcb9e5b0a599a08ebe6ef478ac1c8411806faf3118f3558fc1382522d468d3f93a18ad7d81e6541ef0e5e839c05bb55a5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6e039e7679603df4d1bb748e5f70a53

SHA1
b0364b9a8c0f6c9a9a011b177bbf18db7efd6876

SHA256
51d0f0609fbb72f3282d01aa58edd0f70490dbb3ce7cb9ccad382b9dc53dddf4

SHA512
79d216a52c78963fa231768356dc3f81ccac3c9212ae2c3ad7c73181c45b16d213892eabcc6aceacebc0d1973bbf069fa0355b55b6eb00bc89616ca7ea83815b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
251d18aa42d3c81ed1c65378607a7003

SHA1
c4921bf17dbc853afcdc7d6f0037c2abdcbae2d9

SHA256
d9eed8b843bb83bc393741ef72260410ac7612218c51d09a4577d6cbb7a10972

SHA512
d363fbd475fd6f906d78403c435b9b3242da4ba90ca4643dfcf8e53072ff1c15a1458be76caba260b7f662bc88f18b2e313f63a66247586de5b13328f254a73d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecc0a30cf78fc64a0c31a4e632706994

SHA1
c5678cc27081403348b9f24bb7c3f44ed8965900

SHA256
e993f4f35b24f7b3fffe80d9c75b008c6d498237f0689e96b10812e5deb97ccc

SHA512
4b6cd8abc18cbb0b20c9c2fb17843e9ed93ab2252ba611a0227896f6f3972fe9c0af742df340137781e7d131ba88be67d5e34525180f4df7756d2dc806c14f11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1bd14fd8dfab5a494ec8c1cba24cc3c

SHA1
1fe79b3b38134b3597542bf7729f18f0b292b2f4

SHA256
c1d2474f0a6b287036f163d99426eb89ecf64de18cf74c2bfbde3f1c39ce6fd5

SHA512
03666355181d5516207a577b0c5b38cdb869fa11f8e709c41394c055f4398bd8f7cbd6a2292a4317d0de3263675e9545c73b3436fcd9b0128a9c5b332d2ebc46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3be386862e8354ac847bae1e0b09f5d

SHA1
b4d52e6f9266796d727f18b89b6a8a69272fcbd6

SHA256
0dd2e25ced6e3f33bb84e8b4925b679a3150b1c94670f675563ed58d1eb04810

SHA512
056d0ebc6734b1eeab114b6edbc570a7a6a1d3cce88a83109b19f5a5577228d9ba0f2de57d7dc4160291cded66b3d6248c5a4a331e39fb700bd5f82077b1bd2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cfb6e58a7de538ac30e356369c02af4

SHA1
b18bb14d2ede61a5e2e5d80e05a2fd8976e53af9

SHA256
0f35bad78ba4905e81b3b22112cc316cbe99588f9d66ce393081ed2e85e88481

SHA512
c346d33b178de8a4fc5be5250bd4619db667f95c18f3473544173d1c21b7a4ef6636ce5e1e42ce57df859af3b06f793551cc659021e9ac43135cb873ff774cde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01f3e8d8ffd8ef3cb1c9d9a0d9f49541

SHA1
fdbd31a9e7b0eae0602d10b1ff5b72e00d1f75fd

SHA256
3d6590c165c11472e778db6e6987319fc51894a190da6ce525e91371abf7d227

SHA512
03d1f1acc35e0744f7c5a81d081dfa83d4c899e8eca671f8708a92e71feafdc9302415fb1a9eb5d45b11035c59c0ef797ffc2b994c2d94074d15c60d46d49d69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26f9c1cc8f6d77e703b395123e1957b3

SHA1
4c5be20abb92287934e9ccb4dfb0d1ae305a3d3a

SHA256
6363fceba22ab807212b235c1c6d02b74df5a18ce8b73c01cb840e8d4fb3d4ea

SHA512
1bc9c8eda65cc4c25e5a95a0f3c1ebf74a1b5327e244adb17a500187a5d49fa118e036fe3f81fb03be832f0f1ae2cff0e13ee1d9fffe172378bdd3e24c8b5c31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44921841169441f598c2bd71d72f6593

SHA1
1f0ec1aa65ef9bcf35d3c9a7e1b2cda55683555a

SHA256
a817ca7fd3398bc31e8925e7fef68b69d8261fbc48e21686da6295d87eee2d18

SHA512
665dec34bc04be7cee1f8af93d1b209bc9360b3201086337759551099cae24f36bf4a6f8eda3f754a9278c0c281173e85c7f89cb76b960cf3b04a26c80b56066

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3394ce9db46c194219854306219a7b64

SHA1
ef5792eccd05068206394946cd306ea34c234302

SHA256
23aa5d92c89202e379420345abf929cd628cdebdb9502e34a6c5d454122a92f4

SHA512
12f5731656f7262e53860063c7ca1857f3158565d75a4436fabe31186d0fb53d37aa99b00de3c78c869886d12145ee04896549e8f8c2faf43cba543023ab79b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d38ed51402dca3101f891bc8cceba692

SHA1
5e9c1e4e3450e4975a234c38567a4c0586f5a641

SHA256
851e0348c0a044d38dcb3e70780a9e0310ee23d9f0959974530b17915bb299d5

SHA512
9b5aa77bd3d1a4700c96fa24c632637ebf38b91bcceb28f7cfe71b1059349b5599bca89857bc71566970bcb3181747b800eca97c8a38b1e152b84a193c2f0f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7d9f67e13528851aa299594c79aaa7

SHA1
b947bf830489f03e2e5829c8b446d5c06197b86d

SHA256
ca2a2f228dda92099ca95f625ea77efb267f23226284f6c70387f0add9e5f0cf

SHA512
e2a00bbd4fb1fd919cc9b0c3104c9ad5a0d419639c6a97e3bb0bc347a2c99ce67b7b38395e86fa720ae72ead5ef7064804648c5fdc7a3db2dd083ba49823bd12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32ed82a3958e132e05ce35ac0e86be5d

SHA1
c509089c72396c098da956d2bdcf005d943e6b5f

SHA256
dc672f04c1a752d6ae2b85912953f8ec68797da0fdfa87b78becc3283ccd041b

SHA512
f26636093a7ccfa8a52a5a6e0a343f3429a9088c66404c07f9bbd2ed6c50afad2ed5ff61fee50d89ec9e28b38e20637224aa5d994da3a184b0ce66b1f8710454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1EEFD71-C7F2-11EF-8BF0-428107983482}.dat

Filesize
5KB

MD5
9c8176716cd95d65d791df4a4ffcd646

SHA1
fab2eea7bc7a8ef6a85e854ce0efa7a67dd716d1

SHA256
517cfa0f2f8c809cd4f93b27ca4a4e4f0de44843a114f954b5d3b859be3d3d49

SHA512
52cc139ce216b9c8545ef73a69e069c1810fb0b90d0c05421d9a24739487c7c053c05c3fca9bfed39949d8304afdb4c04de46f21f4b52e72899a0323057ad436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1EF2481-C7F2-11EF-8BF0-428107983482}.dat

Filesize
4KB

MD5
2a39e5946af0db495dd3919f82a8d0d6

SHA1
dec3eb099add2042a86b05bffebc28632f5f039c

SHA256
b214b0168e1225a432091f3b2f68aeec70294f1161e5b3e35d3474ef4ed66ddd

SHA512
2d939756dd7348749281838a5627b3bcf7147924da2bb68946699fa0190e8237f58998c7158ed2537d4e735ae501a3e72272be95cbf7e5c2a4cb017a2cc63abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE54.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_45ee1a36449171fb2abb41a4ecc38a10mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
memory/1292-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1292-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1292-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1292-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1500-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1500-14-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/1500-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1500-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1500-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1500-27-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1500-28-0x000000007775F000-0x0000000077760000-memory.dmp

Filesize
4KB

Download
memory/1500-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1500-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1500-3-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download