ramnit | 00e9c419233039d5c3effc9887267946fb184e10ec21a438947b69822966b13e

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
Size

178KB
MD5

7bd00659bed0bbc18900541a8a4867b0
SHA1

40dee5864a9b2633c48b97c59603f8c4f6efbcaa
SHA256

00e9c419233039d5c3effc9887267946fb184e10ec21a438947b69822966b13e
SHA512

99181ed720ea036970aff29e38bbf925627f8ba16f84a3b238f2920da0ea321c382521a8238532801d8c0bf895ff5203a95e1f5b1b58ea41c0e3802b6015d8b5
SSDEEP

3072:akAwOzhjdRmSZiAqFbrnp+KsYGngQbFutbgEehi3NqhiXnpI6ZW2A6w0:+w8h/7PCkKsYGgM0//NeYp1ZhA6w0

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-12-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2220-20-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2220-19-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2220-18-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2220-11-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2220-10-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2220-9-0x0000000000400000-0x000000000041A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B33015A1-CAE1-11EF-BD41-DEC97E11E4FF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442187487"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B32B52E1-CAE1-11EF-BD41-DEC97E11E4FF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe
3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe
3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe
3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
Token: SeDebugPrivilege	3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2808	iexplore.exe
2712	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2712	iexplore.exe
2712	iexplore.exe
2808	iexplore.exe
2808	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3052	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	30
PID 2220 wrote to memory of 3052	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	30
PID 2220 wrote to memory of 3052	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	30
PID 2220 wrote to memory of 3052	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	30
PID 2220 wrote to memory of 2808	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	31
PID 2220 wrote to memory of 2808	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	31
PID 2220 wrote to memory of 2808	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	31
PID 2220 wrote to memory of 2808	2220	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe	31
PID 3052 wrote to memory of 2712	3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe	32
PID 3052 wrote to memory of 2712	3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe	32
PID 3052 wrote to memory of 2712	3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe	32
PID 3052 wrote to memory of 2712	3052	JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe	32
PID 2712 wrote to memory of 2580	2712	iexplore.exe	33
PID 2712 wrote to memory of 2580	2712	iexplore.exe	33
PID 2712 wrote to memory of 2580	2712	iexplore.exe	33
PID 2712 wrote to memory of 2580	2712	iexplore.exe	33
PID 2808 wrote to memory of 2628	2808	iexplore.exe	34
PID 2808 wrote to memory of 2628	2808	iexplore.exe	34
PID 2808 wrote to memory of 2628	2808	iexplore.exe	34
PID 2808 wrote to memory of 2628	2808	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2580
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
706b2efbe79a5755f67ddc8b0cca5bb7

SHA1
bb0883b05031b2d4537811f865480df95ac547c0

SHA256
e31440ea44da9e74639281e0a7774f9f4277832b936de164d60b03f62d403b1d

SHA512
ac4da65753e895d304e73a0a0451a906aa4d6157e4c2e3ebb53d9e764afa0f05c0addcd995d56cb78c1e608d3bd2fb1cc6f85699b1b088891ff52ca2a237ddc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe667d3bd3a8cbf776924e577213f33e

SHA1
12f7ea1788eb56d23978e0d951865c972326ae19

SHA256
af2401ffdbc5e15956a11d65680d5f79994429472a60f1985ca8d3988b758451

SHA512
59aafff6d7f72d06758869530ec577541ba95c6cc1052f2411dff69d59b201427410cd8a75ff153455fc179abdeafc6dabcd0730a7d35464f6f8d0dc8f309021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc532db36bbf56c40651aa54223c1bf

SHA1
244c31d4eb5251f604365fe329f0f5e143eb408c

SHA256
2d3303a383d3b00a5bf5fdeab696edbc2f56589a7ba38cb5eb0ce4a3681706f9

SHA512
e4e085a0e1ac7bd3b1feb53f3c7bbd4de16560237c7ba2a9a92a4be6c3668b83489666222ca3479127beaed6152a0330e02758e1c333f4a981f1ba811fa94af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4023f370814666e0e80d676b0c425919

SHA1
29113a6055766e6e781aaa53ddc00247d2e0bae0

SHA256
a044951edb5059756ee12fa903a63ba00fef1de87eb2c602e19365e616ca7cc7

SHA512
e479eb5691823d5d4a3dd06805ab1c4568d7e3f6d4eb975228a69acf254d2644c4d6082fbfb355cd15874f351efe72cc63b9554d4cf4bee32fe7143c50c6a643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
449cddbe3337dbd9e90ddf67d92bca2b

SHA1
a963490d8d611befd274219a3b79f0181550baa3

SHA256
bd1da87981e04510d594633c081f025930dc83cf85cca0d64c2e60e4ef1df03b

SHA512
08639862bb69d912df5292416c0fbb46a61e31fc58454ee932be5dbdf32e765ce16b473b51c4f5d5b9f26d95b5216a453cb2f955e658f32194e7de1aeced162a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
767fee535dc99e867a62c5ea24ed29f2

SHA1
6016c75aa3b0a7b4c9a93850740ea0186d50978a

SHA256
21b4487bd6861645d3743198029ce8b34ba17a5e3c6a35676476ddac0a7758ad

SHA512
c438b155dd618149e4465103e0509ed701341153d758e37ef0169cac4879b79645157f17dcf9a8f95e41490b4e41415acdd02ab0d5ca943bd4d94a538a22a792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49f8e7a7869e70b8fe0b40124cd136a1

SHA1
7524d4811d7aae3d4189e66f7a211e2dba8da31a

SHA256
d33f3d2f49d7bc465f2a939f49fdf82be193f889561ec4b092c726e153b8045f

SHA512
fcf02d296ba91130cc82539fa78099a408708b9052626f7b6832fc86dcbb1215b03e87f0d23465b195c74af440365a33ef408383587330d5e4120b42c88f9500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
732d5c3fc516693c1fe701410c0a6772

SHA1
8fbfb4f3efefa770675c65a3bfc9b90c068b0e9a

SHA256
71589fc600f3c05e10792970554b7c6fbc383019a6daacf191f52749f9e93d45

SHA512
01a34d9909884a5a66cba0ade00e5a07cd097f55369194b5115afe690e99952b3d70c3e22bec73b18c5969be45d2a3273c51a0e5acda66cd96cb009a752abda9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56f8d81ac21ed60d30a77f62f6cc8e99

SHA1
1a9f06455cb81324d550e31f45c791e0a7e09717

SHA256
11fe61805586acd85b6cc0cdfa3530c4cd12f26c3ac6c41b99aa4f3c203a1b2e

SHA512
0becf8f10ed9d962a94c450f2dc7ff1d688a87512e4632ffc876ca587a68b6981015dcdb25c91bb68fd29e9fc39fce82dbc0f163afe4f68302282c9c483a8b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa83e47c06230bcb487341211def31d7

SHA1
2dde738ecbeb2ce56db8fe3279d2561417846b33

SHA256
9b1141eb6bae266633cbe6ded7d743a67149789e21f9d8ef8a67a758d65ee7fd

SHA512
d474605ca3653365eddccabfcb56cf9cd3d29826f398b5a58ed63255d31a9f5cbb57a33e658da75315ea93b59e488544ccde31299ab84633b53e0713a4ebddf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28edacdd830bb33f4e77abe7e1fa7f13

SHA1
a4a7a26c3a6e8326099e0d5845d404a7ddda45dc

SHA256
ec25da8a1e418e7cfb27bdf2a5edc234e63066f5df1607713abcd14e8e94206b

SHA512
fc49cf88499e95af52e902bafee6f468621fd1d6216518c908f515b3205ef36bea7bd3a1e6b850c99445ac1246fd20c7751c36abed543f11b91b36e0bceb0e55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10fadc5520f961af71733a0bea0bfb36

SHA1
a643fed7f6cae301d391181c4af776fc3cce3629

SHA256
10ed073a25428455ef903086c962e300eabc0310631cc6e4a9b82a5732e9734d

SHA512
9859cd9e6572c813ca696d366b80233c9c8f4d96db4ccc1897551f490d92236c18ce7ee2005b0c06d7111edbbd17b8d355c92b0cf4d7da7e0d10d38e06341fd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728b263552193e2870f1097446f1f9b3

SHA1
2df76b161fa4c5e1291190bc93786833ec542593

SHA256
cd0b9ee2e4c44d69016650a0b2adfefd41d357d0f82db72fc8b686807c81255a

SHA512
b32389c262d7027ce5764ea7e57fe60df2fdf1b1c72315bbf722a957a7f6b53d60f4b3a57a9724cddf6cb168dd8ae95a6c644f9418c171a81364235233851a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2e1956526470bd615cb649455c417f2

SHA1
b27fbcb24a99d336e73e12b87e5baa5461ecffee

SHA256
c8a9e4c38b4ebf6a185c81c867bb9b7a3e5e3868c9a948771f3848fb7da74721

SHA512
584887fad98ed255bccf101cd398e0120174629821f7da82f39a25b72fea277f8649611006ffdd196ab9a1addce237a426eddaf1aa3390678da3ae4416d6ef2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5061f6459c84df6d75c2c340fd66d808

SHA1
77292ca1a2feff1015515783711832c8d4095f86

SHA256
f8163a4ec7835d415eb223f2c37b3db8054dfacc642207d3a3d7395e7c4e2831

SHA512
640dd622b4bf4f82bb094904ee232cf9057ae56bb9bbef6f23901ab598a78d3e6c3031fd9dcfbd2874feda1f8c8aa8946dec3f6f8e335bf78fa286898e3aa6a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70de67573da7b5da86770f3b9596154a

SHA1
9350003ece201bd42d90fe5660cfd8db71e1bcf8

SHA256
c1a058e1f830889f94a60911e17de5c2c017d6c8f93abdc8201baf522bacbbe9

SHA512
bbf05bdea6614d060490fe1fb1ac9ef3b03da6aefcfa666f0c65d0b81ef194eed7420dec7f7bb2347aa24a65fd357f891a3e225ea5f0f26de66f33ef50bb02ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3474c255344a0f06c10c2abed6e2ecf

SHA1
5dd466a94b858f475780644d7211d825cc3b8e36

SHA256
0f28780b526409e1d630767c8aaec8cbcf055bc468c30bb23d40a56b769a68fe

SHA512
8cb9157d204eeaf265d21e80da58dbaa393a80e7d9b0af9f3eb431326c46467693e621320168c961fc90f51652798f010edf4186a84e1df3f033af0e3211ead2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b26f0c92fc2a4c86233b36a0a3e34cf9

SHA1
caceaff9a9b10b790752e74c849759f93ff0c01d

SHA256
3d22e88a2a25d639310c0868c1467c751da7dea205691381a14f49016bd6d39c

SHA512
c18b09770ea0d2233d27c380bacfa078639dd08dbd010599e6735d0d36611c7ba7c4e6d50a238f467cb1fa080f1fa7d1de3574a055d6f10300c4d5563d510d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b32026c21684dc39e88fdd7568e461f1

SHA1
b3082e6b06be2dab01e1e64b80d5eee64b3b97d0

SHA256
e06c51b366651dd2a83bd25b43bfef72c1ec4e20394cf5fe73d12fbbe27bf2dc

SHA512
4dbdce2e73de0a1bb504d5cf3c9530d5e32077136e9f72c506b33543d4ba69964738dfa3fd47f446d0aef207d3f6caa4f96fc4a87941d2ed9ab704dd458d43b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B32B52E1-CAE1-11EF-BD41-DEC97E11E4FF}.dat

Filesize
5KB

MD5
7068fcddc87979afdac53460fdb5ce38

SHA1
832fc8a52c97efbcccd283bd34f1d9063d2965fc

SHA256
428ddad7b85b48fcdf452c625b1128c26dba5e10e1a838adb6a32a82d0fe586a

SHA512
92e25035df6572baea7b201f486923f3b82c5248ac6a3dd33656713b95c8be94410ecd814ee3df4fb681f399dcd408d6add78b99d6e554aa3b99bae0397b9df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B33015A1-CAE1-11EF-BD41-DEC97E11E4FF}.dat

Filesize
4KB

MD5
9f2dc03d8e8441c4a39ea4df9cce8707

SHA1
dc851eb9f785ff5d4b30e2c84b9c414c079a14eb

SHA256
8ae9cb40aa9fe3a790a4961fc568d27a6d57d7e1408fc0e1535767db670d4a71

SHA512
76a627e9f5b3a8c215a13a6e69bcd8ef02b82c58757100537052f3317904e8188212134d31cfe7df31097a99fb73270121ffa6d240b5b8763b571a12a96305ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab64BF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar659C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bd00659bed0bbc18900541a8a4867b0mgr.exe

Filesize
88KB

MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
memory/2220-22-0x00000000771BF000-0x00000000771C0000-memory.dmp

Filesize
4KB

Download
memory/2220-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-13-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2220-14-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2220-4-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2220-18-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2220-21-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2220-20-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2220-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download