ramnit | 76761f2c00a4f0bf44f9f016d7169596d260bce0e68652fe9dcebb101a79c327

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
Size

300KB
MD5

59e68fa87672d612f5386cfca9974787
SHA1

0832c50ea5abc5742a1c3ac80af775a6ab9d87a7
SHA256

76761f2c00a4f0bf44f9f016d7169596d260bce0e68652fe9dcebb101a79c327
SHA512

beeeb0dcdb5dc67991ea95a2443899d19c592149db2a86ce07f2e440fe480002b04d5934bab2f3f716111d68f9db63614a4f5fe9a332ee692a05a6dc85cb2894
SSDEEP

6144:Ce/kqF3Q6nLJI/ohzLw1I/u1tHxgIh5nQCrOOOkoy:Ce/zFlLJI/o5U1Im3pHQCaOOfy

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
2552	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-12-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2108-449-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2108-890-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2108-891-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2108-892-0x0000000000400000-0x0000000000496000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441906158"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AEC58361-C852-11EF-B20A-C60424AAF5E1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2312	iexplore.exe
2312	iexplore.exe
796	IEXPLORE.EXE
796	IEXPLORE.EXE
796	IEXPLORE.EXE
796	IEXPLORE.EXE
2312	iexplore.exe
2312	iexplore.exe
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2312	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2108	2552	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe	30
PID 2552 wrote to memory of 2108	2552	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe	30
PID 2552 wrote to memory of 2108	2552	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe	30
PID 2552 wrote to memory of 2108	2552	JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe	30
PID 2108 wrote to memory of 2312	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	31
PID 2108 wrote to memory of 2312	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	31
PID 2108 wrote to memory of 2312	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	31
PID 2108 wrote to memory of 2312	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	31
PID 2312 wrote to memory of 796	2312	iexplore.exe	32
PID 2312 wrote to memory of 796	2312	iexplore.exe	32
PID 2312 wrote to memory of 796	2312	iexplore.exe	32
PID 2312 wrote to memory of 796	2312	iexplore.exe	32
PID 2108 wrote to memory of 1256	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	35
PID 2108 wrote to memory of 1256	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	35
PID 2108 wrote to memory of 1256	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	35
PID 2108 wrote to memory of 1256	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	35
PID 2312 wrote to memory of 1260	2312	iexplore.exe	36
PID 2312 wrote to memory of 1260	2312	iexplore.exe	36
PID 2312 wrote to memory of 1260	2312	iexplore.exe	36
PID 2312 wrote to memory of 1260	2312	iexplore.exe	36
PID 2108 wrote to memory of 2136	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	37
PID 2108 wrote to memory of 2136	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	37
PID 2108 wrote to memory of 2136	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	37
PID 2108 wrote to memory of 2136	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	37
PID 2108 wrote to memory of 2708	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	38
PID 2108 wrote to memory of 2708	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	38
PID 2108 wrote to memory of 2708	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	38
PID 2108 wrote to memory of 2708	2108	JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe	38
PID 2312 wrote to memory of 2840	2312	iexplore.exe	39
PID 2312 wrote to memory of 2840	2312	iexplore.exe	39
PID 2312 wrote to memory of 2840	2312	iexplore.exe	39
PID 2312 wrote to memory of 2840	2312	iexplore.exe	39
PID 2312 wrote to memory of 2880	2312	iexplore.exe	40
PID 2312 wrote to memory of 2880	2312	iexplore.exe	40
PID 2312 wrote to memory of 2880	2312	iexplore.exe	40
PID 2312 wrote to memory of 2880	2312	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275468 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1260
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275477 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:734217 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2880
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1256
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2136
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e5fda8f34e6692555fdf98b48f59356

SHA1
0843358295869f6556f7a8172095992bf6f43dff

SHA256
9fb7b22f95a7d343f60c713af26c4fe4e4d6953d090e6a10b19fbd294bdc2760

SHA512
a67a124085cdef0fc3896e69679820e1fdd8233ffbf2aaceb6db3e7336ca99665075e0741e68d9dd6ece7f70fa492756e834570094153b5c7ecedabe9bbbaab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a41f6e5f5f7ff4859d8a933937b2ff6

SHA1
a2a42ed60a4bb2b31330edad44e7e72e75939363

SHA256
f8089bb84893a9eca099e4c4135b606ab181e27f50c273cd7edfef9a0b1979af

SHA512
914f68bb3a8fc8fd24c4d84a478ee8d1237b904d3b4deb0dea2b55698a128a69e9f5b685301310132c8bae34277e96e1539d17493cb2a01d58b1fa30f7c0cddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3260aabd2e6c56ba91ac87b1e2bffa5

SHA1
858b3318d3fe2db9617f2ef4ed204e566654a2ca

SHA256
278aa09b3bf487c97c1cc9fd9ea83b0ff43c26c14c2e90cf4909e6605125bfe8

SHA512
e112845378b84644095593a05657fa2b01d815c2086c6063d55b548e663a71a5c9d957f8a20e093a3791c1af21c16a0dd6b333d634da5315bbe677443b7cc855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b911815ad956c6c461ebbe4db9425c

SHA1
b312eefc9be13544983ad30533128304ca915003

SHA256
49f2d125bff4ab7fdd2fe5f56322e3a6f51d8a608023fdcb84a5978cc7e7ca63

SHA512
ab44e3d7ec850d2173c62ade9c1ee992bdb059eb2c9c54980dcdfddf41226a9beabd32a5decba4cc1b75c1269ca9af4764ac3bb317759e9804d0f59badb908f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45640dab72e48762d2d9940700e1a8df

SHA1
38c1c506e8738e285347386f36547fbc4e2714bb

SHA256
816b7166219988ea68aa417477e3665de3b12d241914bebb03cca529ef6c5ab8

SHA512
d3fa2b271ec4a7b03efbdda43c767d2b17e96b247b6961c61e97e27e17c593b64a98f1f531235dbdb30b6b7bec2f114223af9425791ccccd126dc94e1a443150

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c982e1445af51a446b16701c76e93b4

SHA1
8cd1fb8bfc545ad90bb0b049d96f19c8c3c0eb5e

SHA256
87f7b62677cccc647c3ad8a2e457550e4a617cb4bf698f5a6331ed547b719497

SHA512
e559e2531bdb6ca705db4a1a67c274b7441ac5a9cffa7e57aea1445a973c0896240ed948b8d7604927608a7624ce5a5565928ec07328a2a8178549987e37e5c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba034404d135e2422abef9dd6872e8eb

SHA1
7327a83381497ffba622077ffd8d15459a625b7f

SHA256
89bbf07ecf442cb6e313c0c7b1daa591ab1025eb07e6b6046fab8c68651ae226

SHA512
374c7b4d9d1932ec1c6766141cebd3b7148c09016c4da67573b07f67c7bb647d946e0b3877d0ee0d16b384d10dc9dd54357f2948b3c6e9ab2fb9a5c4b35161b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1790783f8d45c06d4a64095344447ad3

SHA1
cb09f4f2edd1ca976274a676967cf4cf8dee0d45

SHA256
363c5130f102dee7cfa1e9320774ed2a7bdea1071120bc54d9f7fd21d8c70123

SHA512
4132038f2908abc46149ce6fc179a69ddab808437d6f2a660a2507a85361488564426293164c6b5f2fe5eb27727c793ad1691be1f6e24635a45fc364849729f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0829e41f877c7ff1d63f05ed7b42eac1

SHA1
83373b87303df7e56de7cede830a9ac5c617e220

SHA256
bf968c8e64088e8c5b8cd0834a157acc64615608d228dba043127c8fe70c084b

SHA512
fa98d4e9d84497873596ef6e25fef1f7c74be0fc435d3f819a0ba9147a15a456c96fa329ff2cb1c5064fa7bfd9d05c6378ff4b47ceba7e8fc8b9a90f3e010580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
108fc3241ac6132952ce8f103a9c82eb

SHA1
965e741c760207145c5948756918a8a3835507ec

SHA256
6e2c3db35af7a3d30a03d3acf830c63b6db116eb7f2f1174f90eee9919b8c9d7

SHA512
aff1ac8ddf7b9324fa776eaf8a5eabfd41036483991f1cd4afcd85eed17d0f3edc3c9ed42d2e7dc627fe16d9cd28383ada42d7fc43418a4002c39d841ef25384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e7f7f1ea6d4b9c337636315711a0423

SHA1
4df31a26f5a3ed180727d73b745ea9c8b7501494

SHA256
a7fe940cff02fc46433bb01d54062aa861e241975e44a0aad9427eb94b1148f1

SHA512
9248e3cf8260dd501aa5f46c5a1fec1284ec02969531500267be608fb9a5827b1e7ea49687d6a94face8abe4fa36b5f1ff54eb584e252fcb7fa05438cedeb119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f1d19cb5b4ec12e867d57374bb3ad8

SHA1
e8b920ef19fa958fab95697e8cc5f9760231701f

SHA256
b8bbdfcdb75c0b764160a652781c51e0f16ac84fa63a1060a55dd35ba8c23dbd

SHA512
70c03f005234cc00a76e15da2c9dbd3b2ac45d6c3d8dcf15ec1f10ab9cf205f1d53148b3033035fafca21720208b783ebe29eb728bd2f2575f7ef00647050443

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d9c0c076b846b1b627741cce34f7db8

SHA1
7120147f2b939db7d1ea4854beedcfc06cdab364

SHA256
a1cfeb8dc96bfe5eeda7a3bc15879c8abc9350886131c7de472f98acdd761b40

SHA512
398e76b59a014b5a2558296e924acae0c43445f706109928081a7bc7e073d5ae2c046a531570997b249e867a541e903cf88d01544a50f5970cb07770f0808189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ddeae352d1f76bd844833c31ff1418b

SHA1
817f95435184dd1f665f5965584e8d2cb0aef3e8

SHA256
73ba6f5172e072af3bc09aa1e0162f954cbb306664df67dd0d0560b8a6309f4b

SHA512
91ff4351b3bf4e4e4718372435e4c0ae1c8ae7ec6bdd3f7d715aaf7f1dfc516543b80d74b6cde25a02ca5566c64bac7e4c92382033ddb30b46fd3e61ce000602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3014f17b85e0c12f1ce812978e07d20b

SHA1
1fab43f8a55257ca0ee0de8aad9cc05a8c1e1372

SHA256
68f979f2302dd2ad733fcd9cd98998c89fce6b1282c0617ef419ba2b89c3ae7d

SHA512
769748da428cea13869ac58f5dd0d69686462ead867cd981ce830d0149a5ab4e42a181b6e98d697714676245c6cbe776f6823b9b0f3077fe31ff7ac3eaafc464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cadfde6f23a2274a3e493798ed7d3c1

SHA1
23d78141c0b45f778fa9f31eadbc5056f3ba3dcc

SHA256
8f64434db1dc4f195ee172fcfc2f838560e6b9a7acf301932320fb4720149e1c

SHA512
2404bdb56bbdfde4cb60f924dcbed185e6be15cf6cc941eac328c890e1ebb77183f0703044375f2cbcf9fc497dd3425d579bede6acda17edc592e7d27980778d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
565f6d9adb7a1f00effe3d71b4b68db2

SHA1
5fc7ae33c784d3ff00e75a5e163dd0335a03bf35

SHA256
2c84a2561f32a3823403cb9c4d3147d40ac2902784bd850b6dffb1f89ef309a4

SHA512
dbb07b9d1d5f48e8ecab6efdf2094bae0773b87d154df4a784caf19ce5b662d64e0e09b782dc74991fc26f9055eb23832717e824b64dff9fb4bf5454c28bd7da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f66e709a93a4c6dd3cbeeb58f1e743

SHA1
a96e4f37438b6fe885b08ad772f071ceb47c97c9

SHA256
efb5bc2f7a23f5c536f6f7096f880ff0707d34df6724cd01fb58deaf192e3454

SHA512
f461569c078b059432d2836f5d57c775686c20ab52035622ebe40a89653568519f2a717847b2a9358a24dfcf3aa5bc2363bb81572e78f10b091ba9e4cee604fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24d14e13cce76c97bd29f4eb754dee88

SHA1
1574a2719c7f2be64ceedb44fd8bcb40d19c720c

SHA256
aaff80baff4b2cd49b8acbaf4bb893b415cadccb0998be9c5946fe057814cc1b

SHA512
2d35788f53f47506209bfef90e53f97cca75e77807c8eb0fe2adca38e94a73047c252027d08ebb419d386ea004ba51c648a1293f085a5802773cf2286d244835

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE237.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE298.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe

Filesize
192KB

MD5
72864b90643b2ff7a3e4c06b03ad2ce7

SHA1
52f60736728362514dec7880f67009408bf744da

SHA256
c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43

SHA512
b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2

Download Submit
memory/2108-12-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2108-10-0x0000000001F30000-0x0000000002020000-memory.dmp

Filesize
960KB

Download
memory/2108-11-0x0000000076EAF000-0x0000000076EB0000-memory.dmp

Filesize
4KB

Download
memory/2108-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2108-449-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2108-890-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2108-891-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2108-892-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2552-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2552-442-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download