ramnit | 9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
Size

178KB
MD5

4c357d76c061f83034a2d2fa9bd1d6c0
SHA1

4aacc3d385eca6ec1d4296e348b8006f359e7166
SHA256

9c51203a4b7e087b050be75eac127cdeb717286a542961f294e48e0e1e1ea432
SHA512

0fce4158b00aff53b7ea2ca11e1af38876ba8d9e8a4b0941eafd50b081df61c5ca0c25791f504d6f844e00706544dfab281de05e1863b6d572808d2fa2848ff7
SSDEEP

3072:akAwOzhjdRmSZiAqFbrnp+KsYGngtnQnMgjy7jfY0fJLr/7AIvpwZj9u6js5U:+w8h/7PCkKsYGg5Pgjy9RLDcY+hu8V

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-21-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-19-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-18-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-28-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-15-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-14-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-13-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1680-12-0x0000000000400000-0x000000000041A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B41912A1-C811-11EF-976E-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B41B0E71-C811-11EF-976E-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441878250"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe
1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe
1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe
1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
Token: SeDebugPrivilege	1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2112	iexplore.exe
2844	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2112	iexplore.exe
2112	iexplore.exe
2844	iexplore.exe
2844	iexplore.exe
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1804	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	30
PID 1680 wrote to memory of 1804	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	30
PID 1680 wrote to memory of 1804	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	30
PID 1680 wrote to memory of 1804	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	30
PID 1680 wrote to memory of 2112	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	31
PID 1680 wrote to memory of 2112	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	31
PID 1680 wrote to memory of 2112	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	31
PID 1680 wrote to memory of 2112	1680	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe	31
PID 1804 wrote to memory of 2844	1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe	32
PID 1804 wrote to memory of 2844	1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe	32
PID 1804 wrote to memory of 2844	1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe	32
PID 1804 wrote to memory of 2844	1804	JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe	32
PID 2112 wrote to memory of 2632	2112	iexplore.exe	33
PID 2112 wrote to memory of 2632	2112	iexplore.exe	33
PID 2112 wrote to memory of 2632	2112	iexplore.exe	33
PID 2112 wrote to memory of 2632	2112	iexplore.exe	33
PID 2844 wrote to memory of 2628	2844	iexplore.exe	34
PID 2844 wrote to memory of 2628	2844	iexplore.exe	34
PID 2844 wrote to memory of 2628	2844	iexplore.exe	34
PID 2844 wrote to memory of 2628	2844	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd1ffed88c47b014e3c3b75fa077c09

SHA1
3f81a536bfd5b40e3d0060e7152fa45209ebba6e

SHA256
5805a438798c5d849cd68e45ed5dcf53e36955c435a74023b673de3f2970ed06

SHA512
c2e338838e918c019672846ac2cf5eec78430d5aef40f21f0d51dc8811d73dbacf6c2026b3387414e5122fcb0731258478ed9b699d8d4829b613dc4c262a264f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8a2a92ba47ed217efe446464cf1c4b5

SHA1
0c548227bb73725a3e16d2e6b4a1f3d15bedc50e

SHA256
29cbc564d34a6ec3858b49080778b826ec7c0501189595e739b97032b18277a6

SHA512
181bbe6c1fc64b93f712e79d0c070c953936e0ad8842f2fde88873f31ff8970c45e578cd6bf44c7e781931f988da5e6b494a0e9ddb136a63ff8ab23e365c6bf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6de8745cbec968a975018e22d8bf833

SHA1
f0c28aecb00de3e3e67bebc9b63fdc986dba2491

SHA256
59307f6efb9ab1fc4b7b5e8f00864346257aaa4a9a4cb9ee9b7f705513768f6d

SHA512
fe26fed3e7128f654150514dd546ef066fbf23c1a2bdbf471fd7276c9987a58c7fd16c36dc2de40a873afe415f54414b6e4c464d1dd1472460216e7c355c8faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78df1a0b38e3a56e6a65bc40b7d0319a

SHA1
649fb27b9b992e308b45dc173eac59f453600386

SHA256
4709d5dacbf613419d3268c3802e2cfb8e2a8cdca47879857b7813d0723c13c3

SHA512
d60ad61dfc6bb0987de1889c11ebb05732c81add8c5d7bd0876bfa3449ae7be279ef75f374ff24bd60499d7b57e5b9a8d9b2fe3c10a7a6d0d9009ecaa9830e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56a1480f4233e9baa8159b92560f2618

SHA1
ab7a72fad3a89d25fda8f74c0fbf2b83e6ef63f0

SHA256
38f075c41b32fb9a9b88580d52abdf003c85f57297d90efcaa57cdb0cbaf0e98

SHA512
d7b9e81363c9df80f5cc23a097965f8019f236550f042c2baac126cfbb3ee55f00143b630139ef3687cfa67c62779b8501516506e518bfb304eaa6ee39ceb398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2b2f63db1cf055cd8aa0f2696214977

SHA1
23d84b99b6edf807ef523cb3fd2e59349c2780c3

SHA256
fa13a25d59693c83d89c67753ddfae7f2d2443ad41a530893b0186df4e97dd65

SHA512
259e053c732d2314dd54f056ae7c70a220c634767bdefab9a9b4d8922d05a10bcd9b1652997257cbabb5137dcffe67be3828b199010165e0a9bb1160a68c77bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4cf8bd5062a54f84c6fe75023c5c326

SHA1
9bf49295b20b8dcfbede90178e24019c7c8cd500

SHA256
a1e49989831e6e09c944e3e38b0917939d689ae9f280dc504cd9557a862010f9

SHA512
c345cca5c77e7315ab676e956bea8ad728de4cf22caa2daaf7d7caa1bed7e4e3a1d308348c4975198377b11691f8af808ca6e7d7cb1686c0aeb6cf6c7a352eab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ef2d74eef0512965c9a94396e6bcee3

SHA1
48f90f28960f1ecbae03718ff3844cb20a108e5c

SHA256
b815752ebf50385131e3227747e1ebb3b3131ae294c8de3a5ebf45682c80cc9f

SHA512
5b00efb4dd1401515e5e8d77cc9b050a08864c621fe150966b6dd115cadeaced9efd5e3a447a416a30724ab3dba9a9c56e3efa10f43008b2eef274e877f3e7a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b39de11ae8707c0f621c4bcc1d5e1b9c

SHA1
ba06e1c3029939e8642a407769d0c39922a86e2a

SHA256
55fc34ec6c9b2960d9c6baaf50105c24b92f54524374862661928739a89ee6fc

SHA512
727c479e396fef72b389eea2e103dff652e0983631d8c022b1bc070aa458d441893fd07b57df9afe15aa18fdf5be6956a71e6f7ebc96f8f74baff5196907fea2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2965d53f5cea20b8d1516cda982edaac

SHA1
2e4437da4e7c737569c3426f042c860d71598ad6

SHA256
dcb221ac1681eb719abce09591723d22938eb03f37cbf96fdcf68e551216f2a9

SHA512
5136d233a83ada8b73ad2c4c8600140837e5e0f1b9d39d706113254ed6e3f96d9e188288e18333adfcb6717f7a4644032f4b7f3e4c3a3b96a02403b801c5596e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
814b8567b776a8c0210fc822846b0ff5

SHA1
f33a79c29fb27e7dfa2df73974f55ef1e57b14dc

SHA256
0283c88a6659058bd311867cfcfb6c875b750d7e8967b7bcebe42b399558f2f1

SHA512
1aa2b26a97b6e7061e17e44829f4c11063fa28b1dea76a22be15d46fc5a1b850fc4466f815a47e6221616c84d4fb7b0ac78615fb196b621061305a8094e77a50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5255514f09bf432ec15d704568c7f1f4

SHA1
5eb9066f02215992118e54c999f6e8f75102a6be

SHA256
10ad4cb17ee8a193ec1136a8f8b4f245f9605d5865a0419038b136e13b185dcf

SHA512
d13dbf62931fd1b8cb5e4603da42c3c8877beba2f8be47c29dc7c46a3b0deb2f47c6d8f12141829fab597ada1185b462ade0da9daaec3964af067fe6932549e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2123efa6a09fe2ec85d359682c7c42c

SHA1
b961ff71f0b4102383e316603c1a1833db736d63

SHA256
7342262e37b77130aecf89dce68a000844c7bd8ec0a196822f4d7aaa6a01ba06

SHA512
2e5c4645073cbb1dfdaa727ca80b1c0d10b6b77b2a35dda4cf7b7383ccac2601613728973cb70342dd397d14c8316e8f11417d855b4d220a91c9eeb9af86c010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93cd8be786ae99129562e2c0d93ecd1f

SHA1
a6ed311366885a8369fa0ced6f48b893bae72ebe

SHA256
5cb56e316bef5b3fb5634c511633c6d37123157ba0128ba932c6b365e5f1ace3

SHA512
ea890c516094b482b77fd2e1990f9e2929c9def6d6ab385bdcbe215924c770c43ecbb3dfd56a90f04093203e3fcfe1189454e179e5b967bf9bd0a0bf2a32ed97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
391c47e8ed1c648e29f66c2075598c9f

SHA1
2ca1383d47bb672193d3d7e4fab8b7c6301fec52

SHA256
c33649b110bd40d1d3ff5cdc12f95573441bf79f1ed1fc84b4dce36f6f055d5c

SHA512
3edf032409ed93488982a85780c2371df62ff00327ef78f82de405af683b8106158646192c322edf19609a8e1174f47a9bbe5de804c60d564460b5ed913a3d16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b22efac92e52e6bfbf4dd2b191bd35c1

SHA1
655319e28ac7731e250b9af4947531829c33a9f4

SHA256
ba22b6decfda62352615e0cc116c4eef74ac6939aa07f6b0fc5cdd8a672ccf80

SHA512
9dac2a191e59a803dc9fb830e0cf3d6ed14d474bd057bab799aaab4e64a96a592ccf2f70d2f1bff17bc3c707b9bf8bd191794a399f4200d5a3c1c4e238ca3e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
155e97b7a2e63636dda47d4affcec9d6

SHA1
0a048c70fe7df17320b3c8e5c7e05fcebd606d93

SHA256
7d072e5339f2e0a294321583c44b195e5ed4a2756bffa0260d03efac1bed8632

SHA512
858351ecb94386dacdbbbb4ae67c66f93d53a673c1b3d424f3a1920611ebdb1f2198ff8ed147942b993c1558ae4d2747f61441ecc4c8caf7f758af9933f63b1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01094d04f48ab86e8da3125316c1c065

SHA1
c93e06379b07aaeda883454b3077a37ad635e383

SHA256
2f50bc01471ff34ec82d2a5d18ad1cb49f04a22044eff89a8745444160c9953f

SHA512
2e62e2c4d925493f09f4de5a81abc432dc20ca7f98cd57240a7cb19b20ef49e5086fd65b5b1ab05811e88f119929578f3e4ee17e47efb1d3b37a38f81f085f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f50475a70d456bb2a0837b7ae66ecca

SHA1
4ae83845ec02bf9cb8de56029d3c2ac552f91016

SHA256
41164276ee67cb9322cd54be7f811f2437d2aa8bf3e37a07c6b2127385f47fad

SHA512
811e3acf38390f6214e4e1ef2c6734a818a11e187c9f3f8a348825cd0da46da5c41e9ddbd7885f6f56fac4142240bad648d02ca33ee47e630a9b172f16c23be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B41912A1-C811-11EF-976E-62CAC36041A9}.dat

Filesize
5KB

MD5
6541d5cff9d7d0073e5a77dab32ffcb2

SHA1
74df3e6295457495280bbc21b688ff1195b027a2

SHA256
402a78fb34c2883d6421d6b16fd5b46b3ab24dba2d83af309ab6eac1be41ddad

SHA512
13d8894fd8298a2cb7650445a640746b4f63790123178bc4af7a53f10a52fb8e2d6b310567e389b71eb894c0d4500f29555fb788af376d3defbdd2be7ab76ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B41B0E71-C811-11EF-976E-62CAC36041A9}.dat

Filesize
4KB

MD5
77f69d9b27c37765114c4b039ad38954

SHA1
200b40fcbca3ce7f7681e1f78b721e8e01522ad4

SHA256
c577993baeaa6b06148e9f2257a590b39bebd490305ea75aac8bfec2cf319fb1

SHA512
6c05c73d63367990bfb22f8df6320ec6dbe56f8f8bb39639e7ea04078a047662ec1465b1f983f9fec9a127bfb3a00d9252b84ee5be4155db2deef718ba8b50e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB213.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c357d76c061f83034a2d2fa9bd1d6c0mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB283.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1680-14-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-4-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/1680-22-0x00000000777DF000-0x00000000777E0000-memory.dmp

Filesize
4KB

Download
memory/1680-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1680-9-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/1680-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-17-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1680-18-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-20-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1680-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1804-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download