ramnit | f3a361c788e361683d98319ed7cf3c220665e652c3cc705c1dada512b6cc1e42

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe
Size

249KB
MD5

6c8529f4ff68e55a5dfdeecdce0c4d00
SHA1

6054717df3eee43259c5a10707743fce04bf38ab
SHA256

f3a361c788e361683d98319ed7cf3c220665e652c3cc705c1dada512b6cc1e42
SHA512

ae10f8333ac37404cf1bdadaab3d58bb62567d8256ea3dd3f5c028299a10b5a6de6271297871086a4868190bcbe8ea7bd6e68e5fff313d3fbfab9c469db838e1
SSDEEP

6144:pTnjNh5zcO/U2yRDsr+k+ILdaqcLIKIeLkbwRKg2CfQ:F5zT81NeZFcLItf4Kg1Q

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe
2480	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-10-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/files/0x0007000000012117-9.dat	upx
behavioral1/memory/2408-13-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2408-15-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/2408-18-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC098D91-C9CB-11EF-B36A-E62D5E492327} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC07DFE1-C9CB-11EF-B36A-E62D5E492327} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442068075"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1928	iexplore.exe
2464	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1928	iexplore.exe
1928	iexplore.exe
2464	iexplore.exe
2464	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2408	2480	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe	30
PID 2480 wrote to memory of 2408	2480	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe	30
PID 2480 wrote to memory of 2408	2480	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe	30
PID 2480 wrote to memory of 2408	2480	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe	30
PID 2408 wrote to memory of 2464	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	31
PID 2408 wrote to memory of 2464	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	31
PID 2408 wrote to memory of 2464	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	31
PID 2408 wrote to memory of 2464	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	31
PID 2408 wrote to memory of 1928	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	32
PID 2408 wrote to memory of 1928	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	32
PID 2408 wrote to memory of 1928	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	32
PID 2408 wrote to memory of 1928	2408	JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe	32
PID 1928 wrote to memory of 2756	1928	iexplore.exe	33
PID 1928 wrote to memory of 2756	1928	iexplore.exe	33
PID 1928 wrote to memory of 2756	1928	iexplore.exe	33
PID 1928 wrote to memory of 2756	1928	iexplore.exe	33
PID 2464 wrote to memory of 2888	2464	iexplore.exe	34
PID 2464 wrote to memory of 2888	2464	iexplore.exe	34
PID 2464 wrote to memory of 2888	2464	iexplore.exe	34
PID 2464 wrote to memory of 2888	2464	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2888
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdd63c52a7165c67d47a321f64ccf1f9

SHA1
cbd1bdd4074ac968709d1a463d1e19b454a71da7

SHA256
258a7618807142224081d4737a9ba590f317349f0b916801b8e093a73d0278ee

SHA512
c71cc6142ea6f9313030476a25e9bcfb771e9444e8023c1533356c6db179b7ddf1b17e50f3dddfa92939e322b5a0623277616c20d54f1f81190948130b8dcd88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba3cca4b78ba807ff618d76fac66e543

SHA1
e9b7e1d3ce0356e089525bc3e4ee5fc934dffd05

SHA256
c7485c7db4ea005514d0a497f345ac5e4e437361451fa83319a4dcb26f977eb8

SHA512
01a35f920648b4eb9ec5c09acf12e66efab484d956be18635937d0f50ea7866c5fcba9239cfc8da7e432a458fe93cc5dcd42d3f66d315c18b8cb53146bcc5e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59d2ce72f2b4d5777085cb2967b7ab06

SHA1
b19abea8133b5218f9c51860a7260285ea64b352

SHA256
c3f99920e7ad541fac90939b4770d647505e9e01c61bac38d2a361146d9be03c

SHA512
808d81a24a299229cea85ba0f5fda470001d7e6cc8a6150c1d68972a4cb210223eb9b2432a57fd31ac7ae64b077c6821433f05b50d67433e4d59d6a5c5a4fd9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9643209423db3fc67cf717707c166d2

SHA1
22e3fc5eb20b151da24e5273fb43de47a4deb7ab

SHA256
63781a40c59bd63f93beeec0f086a5b2e17ecc4e110ca2ec95c7b728be97fa0b

SHA512
41db6e2f0fe02ede3a50e5e4a8b719f2bda59d09d8b561305a2542ad197f46882c5ee87ac1526fd82f1d14026e9a621801e97dee57abda1e13c3a644924a508a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eff805bf1051813dbef6f3d63e60f66

SHA1
5761a7c122609f26d11b0cc414e4d28a303c8378

SHA256
69aa46ef52fb67a96b22a798b397c88354f0dcf3a5a1cc96b5205c34584999b5

SHA512
b9ba42c8209fde13a799e0b040ded47e403b35b3d2dd4c3dc9baa33ccfb20e1558dead1376587c194050bbe69f2534ac196fab6639bb94b2428807e8278915fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12e302f6ae4078834443c5bd3483931b

SHA1
cf2bbe7a46a55818b333b45ac53ce1f4b45b1726

SHA256
d97c91d42ed7d4e926b6e74a1542042e161a9b8f83702784075795f2e0489517

SHA512
c1fa8b2511dbabd2a46d387bb2e8c602f39935c0215cf2be4475e921ff0d3d2538e9cb58d9fcdfdc04b585cfe71e869805108188ca275a25c340f608b4e297cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8edc0dcbead22c061192d2bbb40cb7d

SHA1
2f6020146878a0b3e915015b152ee154ac5e7344

SHA256
596aa85e698946b4e13a09b8197652c0a41f0afaa1a04d0fd524b925aaf3b977

SHA512
c64c65a68e33fe389ad6582bddb3ea01865189e243b7903fa0d064bd36c278f8614292e97c68e18001cfc7bdba372c945778dfde1427dd6aaf3c18fed2b68a7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec9ffbc2d99bdc18552f775873ec12bc

SHA1
e6f12514e09d991f88e71bba126932e0cdf7d8dd

SHA256
f57ab2d213614786d4f13e9b461389b7e60e58b1a79f867a5a778e9f77161875

SHA512
ed1741672358a5cc23115e8c034d96674d862dc785381f83bf4dac2e84f9eaf410ec35f22aac755c4b47cda66c07be36b75cb74f93743a366692b4900f22688a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
081fa7900fc2c3bf7a4e64a6298bd6ff

SHA1
d01e89f3cc8728c0eefeff8053742e2ad095ae4f

SHA256
da6e9ad5b258bcac7506326a04fdf0acc545824abed525328110167d82287607

SHA512
eb780818ea045d79a7a4254018fdf5059e4092a9b357dd5f2e54ee98fb3033386c56abf1bcee4dd8aeaed1dcace432055ffc99d84faa69c67df41e637a07d51b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38bc0f707333c73bbd46f78c8d03f2f6

SHA1
0cb64563b3693aca7afa3e2b4f68c36cbc859c72

SHA256
e0957babcef19f66406187fda481d0c4a0ec51652ecf7781691d12f6c2ab765e

SHA512
7a10235f00b4672f6ac56458739724dde6f77b4c99ae9e017e1048802175b7a0652e9e8b66112628454ad8e02c52960924ce91c324e3e97f260bceb21421b17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5708d77d47405374e3e78bc84b394c0

SHA1
318a51d93e8c620bd012ce71daef53ae3ffc64e1

SHA256
98a3240792e7cc3f6f41bfb668c31e99fad4130f19a4d25980b219e9b794778a

SHA512
7ad931dc6a0e790a39946a2bc0cd2c08e83bad6c7c076f3e73e4354ed940cd3c4d38252be9deac4956ac37ddb6641adfcead7920bcd95c7dd882cb0c6e3013c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac3e69b3fa637bf299e25562135de763

SHA1
721eff715f5913ded75f8bb7af8f5c98ebc9228a

SHA256
d06e5092301ae2ff2e7fafde08154957d44edf73e811ee2ccb8969050bbe7ad7

SHA512
b448cb265b2f4ab78b839be4ec6d9e7e9f4bd5ef822df9a9128bc1fa971c554a84f5d71010b50f1e08ba0fa5fbe060ae576fece701bc33007c18ccb1d8138d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
284e46bcb23414735af51104fa818333

SHA1
7e6f97ade07f9d551a1db55762c14b1d434b943d

SHA256
d6b0b7e58c3071dd5e1bb4ca1fec8f7146c914b18fd686b9191d3cef06850e3f

SHA512
2460d136f4e63dcea18b161db8fe5bf7267bdae7400e259ef28e9b3bbeae31170c65f1d861a0efd0ffdb67ea89f289e38ec3c1a2859017546a59dc2da9b0fd89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c33b3975ca56fd0854340fb550d4a95

SHA1
0a3675550bee9670355d0c81f54ae231a3d4e12d

SHA256
a35adbffaa3ddd6aea97ab3f5134896f810ece6f8ee94333c68ee98eb1a196db

SHA512
a6474bb1e1f29654dc15b536a6367b67c77287bae44c6a5a05a1682b4b6c819d03ab07408920e5c42228522ae5be8228581f58ab356c64a830c12ab963a2abfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f35249128853cc59f5a0677ef5e9b51

SHA1
3c46fe58502a3959e145bade957463251481715d

SHA256
2ed0321a07fa4f28eeff395322c75ab462d8b33e89b4adaa3582cc9f981ee55f

SHA512
c3b8da7ba635e0bea0354967318d423cc952c5a4b598faf1b76617276acea4dd23e023c108080823542fbda2f2d95307e5b13a98e463e54acaf5eea8db09c4f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dff0a55fb2b646d141c06eb3cde5aca

SHA1
4b80d91078e6b7bac4a56e2f1b3941550f5d5ea9

SHA256
d1c361c1b12c36a0e7e522bcf092c7408c2529060e142d06d48fc1120e7dcb9f

SHA512
8412cf43d79bff845d625fe06125ca0ac01f98c794192b44ab5541194ab799a6b7accfbbf9383468bc915211085ed6e09e798b0ce320d5bcbc2c0a3230a010d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fc232639187512a8c7d6d29104a8340

SHA1
8dfc181582a78e3b94d5c6a9e4228fa48b9c9987

SHA256
667ad47a25ae237ad381e992f39323c7ca5556f9ddbcd6a3a271271605384ff1

SHA512
4a53e42bca20b577544b5ef034fe6bac59af1b140814dd1f54f987bc5f6ebf652454edc53de86760466718011342d715ad2ca9e0d00fba5035729a7b21388f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21c2b91aa83b1ccac564c611b2cfc362

SHA1
e13a5d890ad2c99124324d66405087aa20f577d6

SHA256
db710d748a4e1c2dee17be5ebf7ec8328def4367cd5674ab3fb680f7b807cd77

SHA512
f6c6f1a1400863ec8c4095f2215c5fa7d51119156e1efc75236e69b0ee9e20f1aa01f8bfe39ba5363acd745f691fd0d31ed1cd6c07a30007b5390c95c2c44ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
978ab62e08f8be3c64c69d5a10df05e0

SHA1
bc4ec17c51bee51486cd2582655752acecb627ce

SHA256
6341ea33a2cc59435db1df2a5eabd665202f1b1bb56c12326f2d3994f5dec824

SHA512
39e9a56ea87163a8812df92931d0521f46b590a4b99366ff354e2400a8560571f537871087b38cfe51ad23ce0ff3e4397e7056f6c80a396a62c4d1fb011d21e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC07DFE1-C9CB-11EF-B36A-E62D5E492327}.dat

Filesize
4KB

MD5
d0914f598cfe65600d8e21378187da3e

SHA1
d7dbbea0bdb47be5386cef7eaad64ed7e08284c8

SHA256
e08e68e9c3725eaa986f793f071e3e4f693b43abadccd22b35a8317548fb8d13

SHA512
cc634a19585ff9171530a89632802e9313b280383f144a659704dfa33885c09a2719dfd1a34cd50e018de46ac70f36a0d3fc59ef2e01b53b0451da4361103bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC098D91-C9CB-11EF-B36A-E62D5E492327}.dat

Filesize
5KB

MD5
7fc9d73539dd9e98712461b909a5d150

SHA1
25703482ba8f8351f040ae3e0dfdee4d1286f933

SHA256
52ab48573750fd7c19b806ea3ba997963dd874c212e5c9d8e1b5b220cbd422c0

SHA512
ef6e296bc85e9b308e1f4af3e50e268aef0dc5ec99abd206e071f7687949a073959887bf85e78511ef692e4eae394918ea8015fbb5ed1b2ab61e3c73ab4a3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE063.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c8529f4ff68e55a5dfdeecdce0c4d00mgr.exe

Filesize
105KB

MD5
9b49fec7e03c33277f188a2819b8d726

SHA1
a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SHA512
049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0D4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2408-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2408-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2408-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2408-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2408-14-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2408-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2408-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2480-0-0x0000000000160000-0x00000000001A2000-memory.dmp

Filesize
264KB

Download
memory/2480-8-0x0000000000160000-0x00000000001A2000-memory.dmp

Filesize
264KB

Download