ramnit | 09043edc05ae233d8bdc2640d670c20b6259e863b2e6fd6b16efeb36f8deedec

Analysis

max time kernel
140s
max time network
132s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
Size

329KB
MD5

8de61c91381db406ece5f3cc242c4060
SHA1

48dfa924c523a73f293a3191ae8c33c8dade0e9c
SHA256

09043edc05ae233d8bdc2640d670c20b6259e863b2e6fd6b16efeb36f8deedec
SHA512

ffbb5106d9ce939232ba8a65228d022d12483b0991a9148fc38d1677592699d7c5c03ac661e36fa1c991f842fcd170423681d1dee8f7d4a81a28653b45f27d1a
SSDEEP

6144:km5liNOw7T2tpLEjnlqrDXjErOqJiL3lx9m709zbtDZ0AD:km7i37evzWct9zb8O

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000120f9-2.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
3004	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
1372	DesktopLayer.exe
2748	BRemotesSrv.exe

Loads dropped DLL 7 IoCs

pid	Process
1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
3004	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
2208	BRemotes.exe
2208	BRemotes.exe
2736	IEXPLORE.EXE
2840	IEXPLORE.EXE

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{766B8DA3-CB24-11EF-A7C8-6EB28AAB65BF}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E	BRemotes.exe
File created	C:\Windows\SysWOW64\BRemotesSrv.exe	BRemotes.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{766B8DA1-CB24-11EF-A7C8-6EB28AAB65BF}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{766B8DAC-CB24-11EF-A7C8-6EB28AAB65BF}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E	BRemotes.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475	BRemotes.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475	BRemotes.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	BRemotes.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	BRemotes.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{766B8DA1-CB24-11EF-A7C8-6EB28AAB65BF}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	BRemotes.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	BRemotes.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	BRemotes.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016c7c-6.dat	upx
behavioral1/memory/3004-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3004-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1372-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1372-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1372-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1372-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2748-45-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9C01.tmp	BRemotesSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	BRemotesSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9B55.tmp	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRemotesSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRemotes.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442216161"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7653BFE1-CB24-11EF-A7C8-6EB28AAB65BF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000000061f338315fdb01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B5B5FEF-0A76-4277-BDF3-1FF13DBB5F18}\26-44-b2-b3-19-dd	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B5B5FEF-0A76-4277-BDF3-1FF13DBB5F18}\WpadDecisionTime = 409ccf59315fdb01	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = c023f838315fdb01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{19021AFF-5E3C-4A49-A9F9-D63AE764FFCC}"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e9070100000005000500120015004e0302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	BRemotes.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B5B5FEF-0A76-4277-BDF3-1FF13DBB5F18}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442216162"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	BRemotes.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3B5B5FEF-0A76-4277-BDF3-1FF13DBB5F18}\WpadNetworkName = "Network 3"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	BRemotes.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	BRemotes.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-44-b2-b3-19-dd\WpadDetectedUrl	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	BRemotes.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1372	DesktopLayer.exe
1372	DesktopLayer.exe
1372	DesktopLayer.exe
1372	DesktopLayer.exe
2748	BRemotesSrv.exe
2748	BRemotesSrv.exe
2748	BRemotesSrv.exe
2748	BRemotesSrv.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
2208	BRemotes.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
Token: SeDebugPrivilege	2208	BRemotes.exe
Token: SeDebugPrivilege	2208	BRemotes.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1400	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe
2708	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
2208	BRemotes.exe
1400	iexplore.exe
1400	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2708	iexplore.exe
2708	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3004	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	30
PID 1704 wrote to memory of 3004	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	30
PID 1704 wrote to memory of 3004	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	30
PID 1704 wrote to memory of 3004	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	30
PID 3004 wrote to memory of 1372	3004	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe	31
PID 3004 wrote to memory of 1372	3004	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe	31
PID 3004 wrote to memory of 1372	3004	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe	31
PID 3004 wrote to memory of 1372	3004	JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe	31
PID 1372 wrote to memory of 1400	1372	DesktopLayer.exe	32
PID 1372 wrote to memory of 1400	1372	DesktopLayer.exe	32
PID 1372 wrote to memory of 1400	1372	DesktopLayer.exe	32
PID 1372 wrote to memory of 1400	1372	DesktopLayer.exe	32
PID 2208 wrote to memory of 2748	2208	BRemotes.exe	34
PID 2208 wrote to memory of 2748	2208	BRemotes.exe	34
PID 2208 wrote to memory of 2748	2208	BRemotes.exe	34
PID 2208 wrote to memory of 2748	2208	BRemotes.exe	34
PID 1400 wrote to memory of 2736	1400	iexplore.exe	35
PID 1400 wrote to memory of 2736	1400	iexplore.exe	35
PID 1400 wrote to memory of 2736	1400	iexplore.exe	35
PID 1400 wrote to memory of 2736	1400	iexplore.exe	35
PID 2748 wrote to memory of 2708	2748	BRemotesSrv.exe	36
PID 2748 wrote to memory of 2708	2748	BRemotesSrv.exe	36
PID 2748 wrote to memory of 2708	2748	BRemotesSrv.exe	36
PID 2748 wrote to memory of 2708	2748	BRemotesSrv.exe	36
PID 2708 wrote to memory of 2728	2708	iexplore.exe	37
PID 2708 wrote to memory of 2728	2708	iexplore.exe	37
PID 2708 wrote to memory of 2728	2708	iexplore.exe	37
PID 1704 wrote to memory of 2892	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	38
PID 1704 wrote to memory of 2892	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	38
PID 1704 wrote to memory of 2892	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	38
PID 1704 wrote to memory of 2892	1704	JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe	38
PID 2708 wrote to memory of 2840	2708	iexplore.exe	39
PID 2708 wrote to memory of 2840	2708	iexplore.exe	39
PID 2708 wrote to memory of 2840	2708	iexplore.exe	39
PID 2708 wrote to memory of 2840	2708	iexplore.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8de61c91381db406ece5f3cc242c4060.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\8812.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892

C:\Windows\SysWOW64\BRemotes.exe
C:\Windows\SysWOW64\BRemotes.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\BRemotesSrv.exe
  C:\Windows\SysWOW64\BRemotesSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2728
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\8812.vbs

Filesize
500B

MD5
eb1b857f7366a646fac609123e5d96b9

SHA1
76c4ad9a573fdb48245e6c190d4c15c012ff09b0

SHA256
511f330da55f4d08cb4e0657acb9fae93eb824d2f6aa3845bbd8bc352e0e7e13

SHA512
d3958c0789e39a07576c84b11d123f9c71fd56d92d1af0a37b7bf20dcf54b7fa62f9bde0a363e3f8dda4fd720303e31427629c9ddbb96adad7f369ecca31bf3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
951156db3596f80ea71079c16af08fc9

SHA1
acdb60c5dc84e213a38058ae3162838941278984

SHA256
321ac7081546161f012fca868a3d96e0f1ac1f2b167a1ade43bcacbda0dfce0a

SHA512
9ed04cc3cde46c383d6e02c244fb640f91c4d1ccced974b1291598d03b59f469d6205a5d0159950b5d3d81b75a9c4b767fd0cb9f5268421f41d46b052e8d043a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07499b432ba2b3baaf893c90506f3b1f

SHA1
d943afcaf57544b8e6f65cd1691fba1319b8b9c7

SHA256
5eda77645845094001c3b65296506318307507a2ff912c30e1227e87b1ee2e20

SHA512
d70f0f10e598bd903dc434fcf9e213c73a6715408684e031bf7a68d17eb1ecdaad1ef0b6f29855b219509cd6de02ed0c58825cf5846127fe5b64dd59f38247b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe3637b733c65214b6046073fa5d6c9c

SHA1
f4ce16d19d8e5d9ad62883dec81d104ac68d60a0

SHA256
d31455deac185c13968abcac05803f864782e08549293f4b49d1114756ebc280

SHA512
4ecccc621c6acc749b86a836a29933622ffee6ad11e712662d94b4c9476068565f6558ec65f3e5b391c241357e6f9707b8e7201cada44eeaa7903263a228f5df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fb4e47c525e155bb9e1790c1b397675

SHA1
3daef2c76ee1c9476860b94c74b146a9cdeef5ed

SHA256
73bffd83014626642f3b5aa0ed388def31048d6fc0b80c80cce318fa2c7e73f3

SHA512
c502bc6d0cf3a42f6fb3c761c89a19dbfd81f4663dea9b6fe98d95c2f0bfd6cd3f9faa10beabb7d24ae21df779dab950a9528bab8223e1231cfac82b5857aa1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81c702335a9a8c69ca313f9518ecd4d9

SHA1
3b402de570a20c48737f38026dab3a0b9d36ff7a

SHA256
0d73b31a6df68628c7e81089537485acab5f435794f4bae4d07776c56a1a59a6

SHA512
d3905fa1c50a624cd6b3fd93a81d0594b3996354fc5a29c1e768550cba620c12faa69c009c3ed44afd7b7b6a4107a2d9be44505fa869ada7c368a84aa15cbc35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f076226de531268af469fb5052db4ac

SHA1
89f549b6de3adf244bd30c82fb742467f63bf0df

SHA256
1ad3119aac94b674c7175785afe64cd8805c513a958bde1b93fce9b14e60c70a

SHA512
4fbaf90e2ca4c98204b2eac827664a322e604428fbc673a8503b87659330ccffb98fd862a4a55ae5073c14b84ff660ad0b56474d5ac029a8694a90f6201f09b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4840b3542036afdd8fb6d75f67221e23

SHA1
ff2c51b67c49096ed61366c47de300f5578f563c

SHA256
f4ada73f32914a23bc4dd88f00da5eabf9e6ca9e609da3aa8f785e9a060738cb

SHA512
a88e72c6e4e2601923e021445d1a1e3398b294e211e1108a4d2086b9b0f329df8bafbe50e040c02ae6f42c2adee372f745dacf00ad3b67750af055c82ea9cf42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16c5abf8eafc0908a9d6adeadde54221

SHA1
1be79ab88980607149c2206c22098598f6a6702a

SHA256
bfc978d031b10f4a2362c6fcf1261db8d087bccab0ec623fc6de2c5ee0053040

SHA512
c75750753180e31c154b4aeb7d9b06ad91f6e1d88c83b1dcdb2e2cd882e8e937774aebe753cf9d7449302e6e7836d8f842e6a77a958540bce594a6ed5f03dd33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ead1d603bc5dcde21aabb01e95ed581

SHA1
22406810964605b955486ffc22ffbfe631bad7a4

SHA256
c86295b54be6cf1f1f1a0a6a6f26abe5654c5da4e7ade3a65c16853e06d06179

SHA512
51d7fc1163b61c132fd537d0b8a0d1ee3cccf32061312d4aa186ff2686a4f8e5b925585c2a77e3feafa3bb6fa77c0cf6cafe230c87cd290ba240d2a37ab9ac67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c3b670efe84589dc575568bba5e933b

SHA1
3c84f59b49441134ef1529f9acb1262891254a68

SHA256
d7f46a45004f0b959b893659a060f239bd8b1470375573edf50eb91885825e2a

SHA512
9148a1f12e5c0d78643c8c22b82886dbdd91b150a62766b1f7cabeba808383a3809f953bfacf472d5c66cf3aa617f97f950b7dbab6d50bbad91aa7ed5d0c3ba2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19efb89b23cf653dfb3753ceb207b33c

SHA1
68012df3cf5c344c8ba0fe275c90af9923d4fd55

SHA256
b06b9a91e60d2e3f8f5d4b19cb31209cec6b3322e4c9fe96803462ce060cfd58

SHA512
4f975b77b7f0c5f08ad74220495d7417db5aeb9603fc64f1bb8fdda382565bbbccbca115bb48216a53952854ce4d250efad7bcd1eea7bd027963ef5c15b4cbca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c177840528076b237c85a09dd3a4808

SHA1
1dc8690e4ab7383b077ab788c5807831c8550f3c

SHA256
02a6272eef3049a8ace6f372c18fb6dd0b86ecd485f85f9dad97a57c6e711988

SHA512
c132ad1d8b8679bd14466a9d0f5a8d82e257aeaaef64964ab4c58f5b9b0e0ad95abbe3525b33dbd457cbbd362738abef17f31ad0b681e8601d7908b49cc941b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c96db29c01daf5c915b49bdc206a5e9

SHA1
feff3e34a541673d09cb388f848f6ef59c8d64e6

SHA256
b6c46c72dd07fbdf5833467a6a3020a386c2e962322d483dbb3b6e78a16cd35a

SHA512
e5d71c2da6e5a726f8975097961d56330f34d8fb813805616cc17946d9562da363f6aa7c375926962ce66db14c95aa30607ab86df7c8f82a8514c053ce37885f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
805b64835d580cc573972093b9257d3d

SHA1
05c856d8ab6bf4eb45c804052a7b44689272c719

SHA256
ba6c576ca9a022a57e3cf94805a6119bf6f1c70d7f6f220263b1c1c518483458

SHA512
83a9ee82b9e9a1ac3a738e946517e535b4de892dedaa8b76da38d9803bc0d28b51cf020b936e23c995904bfcb92fd07a1e43618a648fc0da4eab7ceeb1d506fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f28f07fd3060aaa9e2068c69200a01f0

SHA1
1960fb6f4bf8a49a58d93234fab322a8c2385097

SHA256
e0d3d9128d862e018fb558c66ee628492a81eafd006d3fd19de03b72d9e8dda4

SHA512
84403feaeabc88b060ea44170c0373d31ff7f1b7719c66bf50ff1f698e5d1eca1394d39b1d555f82ddbaaa6b53ab818d3e3d66196174b2fb114447cf936352ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d592a53c9f633c4dce55d2a5e0dc2202

SHA1
6c87241c0c39fbca56b2a59caa3e1dca87f2b6a3

SHA256
ff2717a530b328b7037243d1a16a850667c7f4da255de9658a2a04adea1a49b8

SHA512
9cec3c46a409b224bb36c1288bf2d5b30db8f8d3908d1b58f12dcb4068cf4ba08f7a9744a96debb19ec6f1eaba065fbc12f4fa126ae06535c8e8a698a10370af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcf62fb70b3b374c7968b9d4a673b33a

SHA1
913250cd2dedd0704092f737b752ff752a4c69cb

SHA256
a35f29ef797c8a8a40d83ffbeab372709ce83a75644235fcc230a1112fd4b8bd

SHA512
bea853c5b933bf4da2232b1040f2a15be4d684d641ed7ad5b28b51e7bca0d643baa90b86ce6f9c1adbfb1ef486a2c1c3f1fe8d15233dd5d1e746a0b7fcd47089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4abc883246bce91dfdfc87497b4842f

SHA1
4be34d6b5857222f80e8bf0738b0307ccdd72312

SHA256
fc2947cf1ef09b40d4454de53d60068b3f460e10fb35dc9e9a4891302e50d7e3

SHA512
820e5e1db51a071915af7f726921541c2494fe6dfda0c5610a36456fc0a59b31ebb728ab7dd93446c23f3ed9543baab4c6e1fdfd75f399b4f7b0255cf998099a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d63de8102beef49c358a681e6911397

SHA1
18249292c0379ecb2e504d25a09e865843601e58

SHA256
a973d39d1745c325d5f370736bd937270ce3204377e1f67156790b9fe5fcc828

SHA512
db80fde3f755136277a275aee1f1271e9e1239e36430b381225d29332b077ff5737806ab83bb1fb1227eef5c6ab3865fe75492f193e04873921a062aca0d118f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
be5e4dd911f2e2a55161c32d6ffb7ddd

SHA1
5c3539e7af474476600c5af3aa891ca6f0461fae

SHA256
456ac8f90d2342b5b106c694a058de7435cfeaacebd363e178cf5cda01920e8c

SHA512
445f8f2bb4327da66898bca5c0e8655e5298b6c574dabd9a1881dbdab4c4045893d8c2d5fd49ae16e5f8c6cd75189cb46297f871ecec831947359a6a05b40066

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
3224035da4c4b8316f85ae020e16e5ca

SHA1
f44275e13e35146c68e5361e4e9cc74d20151e7c

SHA256
45180f88af35315bc307ba4427b5543b2ddf504008eb16f7dd006482d4617043

SHA512
1eb05fdd05d71c923386b78e08dc7551e3ce62e16f2347ed7a0261923de2862026f1d2953efeb1529b25ba0a5c493e3ff96ed504afeee32c50f903d5aa783462

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56a7f10cf2ec1481b08a72037f4415bc

SHA1
b058c35a8dd5dd58b3a1ca8f430a0614e6d1ba3b

SHA256
7327701909347479fc592013dd124efb1246233fcbec8c0fc992fc3d83ede8ba

SHA512
1d45c340315ee07eaf49b8373805724159e482a5423963c0ebe2c0e2a3cf040de14b2f69ed27c6f8929e1b24f042beac9bb562c052e28bdc0163fff2e5543da1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec25400b660e0df9ef8bdad43936d613

SHA1
0807484cc47d60804d4dc700d7a216314d9f838c

SHA256
16b32871831966cb2322b7ef4754a4aa014b85fb2622c03402880ccdabda0fb6

SHA512
3b1821e4c8c1dab64f72f3c79183912b0bbe41bdfdd343b6d3691fabde5dd6433f71366b67550f6d4eccb5db70dc5c657f8c121e4345540c14adfd79c5cd6c6f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
046939854afa86cf6ab0b5c095b4fe1c

SHA1
2b3b8d611752510b2a2fad6eed958b2f25b064f7

SHA256
533e5d5ec61efab76b724ecb41018f88372e9ab762fbdb8d132ec2dda7de9b65

SHA512
c6ab6d334e5bd0114a236fd3d22bd0b1932784245be07bf6f47854c28ed9f200eaf5aa2f779857ea48a15066c24e2a999618c07ae5fb8c1d19fe99b64f958fb1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcab803ba87617e2709226aea081ba4c

SHA1
c366f320c437c5751ba12171989ca54284fb84c4

SHA256
55a33b614623d2fbfc44d62fb62d062b52cf8ebff645412a01d4eb1bdffe9eac

SHA512
25b76d3ef15b6e87719403d4941cdc9ca35e69d322107dc1886fd3fe7d4adefab39599e852c071383b2e44bbf950247fb7530049adc3374d906738d4e05ec4b0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5f9cb6d9a8c432151e47cfdfe726425

SHA1
11d32935322ea041fc191c04e067132c4cfee2f2

SHA256
e86315662409ab942b930782c34008fdfa91ffbe60df69811917289f0cc01639

SHA512
abaae2dc932648b25e4deb683fbf679023665c6c2147c17bfd23308fa94aca8b9cb543b202d5efb69bb0eda0e2bcb8d07d661f151da07d72025ea509b80bbc41

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd1531705d1e914bd5f87fc7fd97a0cf

SHA1
c311321ec46745e5fba3e1a15b48ecf1ed998c74

SHA256
91eab4172bc36d207ad6f9c2c3be8693492b228fd581e77c885c94ec632c37c6

SHA512
c4af1005eb31e0d91e5edf1bdc74c059726250140a733758779710f46434d72a2ad6d52052851f0f14e019fb937680371733d8411bd79b47a4e1ba5f37792afe

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2164c7caf8988774fd33299357323cab

SHA1
6fe46e5454ed693bd27b7be14db981733daa6b70

SHA256
8249abca6897c287f1997c4168644709b346598ab16d82f304adbb1f0608aaa4

SHA512
2cba6b71f7476664c44fe71db00f2712c0da58e4e83a26ced8026dcde14c00bc2f3558d33bcebb10a4afbbdd656f40f4ab5a467e4528dbf999ad2eed29619b12

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42656a9991f77a0aa6fcceebd98c85b0

SHA1
1e83fc9b3299d16424f58bf8051c678e8ea8e131

SHA256
d5e463e1d76fc521d774468da2aa0e86218a8315df707896f3f45934c2afc6b5

SHA512
a002c090aa9a39d11039f8ea11b6030a29bd424fa0b1a9321515afdd18834190eaf3e14937cd0cc4f78ba4477468cdaef98d537722e184c3899f4a1a2a3c42c3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b40c1bfacaa5b3ad3da1f9949f420bd9

SHA1
17a7c617ae4f3bb61403175c71b9d90d27b4b8de

SHA256
28114b5f9d342ab686a4084494ad64d9466ad4cb67c8f023f4daa6dde77b0e44

SHA512
b12e9cf0a4c97c147430c039dad806ea1620f824034a4a06ad0b3756ff207816ff30e8d93ecb344f260a05b9584ffee582d632d3f67b89abf1d8f82d1b29ac60

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34035e6fc7ca9c7924c384f5042bd943

SHA1
eef625fb6c536607d7201f9a995cc3ae31d306f7

SHA256
ab9b4653c27a381b6e15eb5c115fc56f6cd104e3821eb29d8d1d12e73f55ec6e

SHA512
f733efc887becb66b56dcd0a8d92a938648f29e61a39b8131125da0a4d9e85cd1f0bf4baf46605d39ebdde4bb188d2bea067d9ba7df58d8c7dd13889962731fa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4bf63d15b2e5c653b6272ca95515492

SHA1
ca413b5a98098acc95d1462c919630f15b2c55f0

SHA256
e69427644cf84ebc3387dcc8173bde332686d35e6c3fc5a9a7789ba6fad6ae1e

SHA512
ab659350ff92457200e27c03697a65f6c7e436d9297fb9643423a580fdffac5719d931e4c45f4fe690d142af9b11084064d4f6c9d4791e193fb5fab3f622ed63

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c835b25eadb85ddad9d79e09f19e04b

SHA1
20306fc6b7276d2a2961da9c87691b03c06e701b

SHA256
eb37168b777b6b7bb09c97c403a6c101d0e7cbe1eb653346839fe4a40ea249c6

SHA512
e6ec5729ca03afb065aa41a6de52eb3aca19609e0744ba539f4902377ec87c78218cd34bd926671013f948b1bece285d2ee40112a8b6c5516a7ba4145c28f44a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aae5464b7e6a41f5a49fac0522356fe0

SHA1
da62491d8692aad7a1e76d50366a9b3fbaa13c3e

SHA256
9c3c3c9d2491d1fc0bee8b467ae95e3d5b4cfa93dcaa2ca54579dfa2641c4d7c

SHA512
2f83ee19f7f2846dc6c60351d968896b6ecbff51b86445c93f6208894ba8517dcd16dc547f54623a391e4f836302232090d899d8c09bde88a4509992b9437c9c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f816e7ffa8cb9ca0d9a1d57b717fd0d

SHA1
719543573813143111af8a4b53d02315ef54f1e1

SHA256
75b686b7a8e4e2bab67104be8e61583081c9aec88e4e8cffbda48fb5275469d3

SHA512
375bdfea25a58ea7ed59b1bafa861e9c6563d69308345958d955fff1ca3d3381916aff75131a0fc77698486cb0b541cc0c5f6c99e01f0937635a9d064289c9f3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c53d4ef38bf7e4b21ca373ebfe24fff

SHA1
1dc8a90988ab54588bef2b9ec143226bd3801fc0

SHA256
3e25025c25cac1a2a31051f303d9f58d94b0de5cc5e7427234cc5b4cc0dc34d1

SHA512
e229b21dfe219630e71d8cc278ba8952991a709d6e4226b9a6eca4073cf5c66a3ee4a9fe28ff9291f7a804062b3a085e8e41bde71a6dbca36d296b6bcf10e7c8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d34195cde125f9c471fec785882ccbc3

SHA1
b1bc4651baa2a7ed00bd24eea8c70c5c2e58537a

SHA256
56ac3bd696eba9196fc7c5d700cd8a4be52efa93be521b196e396ffc4f7f81b0

SHA512
4cfceb1866cbcfcdb14292625c76c622258f2d5519c1d98f441b1c1d340d99f60ae1c7c757f746ed7d4e77f29bd2de4e5df85d9fe34729a71cc2521ee584221f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1db8e9e287e19cc5b4b61dd4d3e09a11

SHA1
a04466ddc9aed4860f87e3bcf76163cedb15e858

SHA256
b05b5046c2cb6833bad0cfa3d7d53981d6b6532d8fe42bfe9be17658cc2fe7e6

SHA512
6d90f50b291746e9fd86e98936d8b397b597e5217629c6ee149033d90c18fea9f1649a9fdb73fb1af4cadf8f037c3bccb5c19a436e4f8b05a0395808f62fba12

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
630a9b34eb593268698893aabc9717c1

SHA1
639c8dd7443b627f0980c9af2e933ddc7835edd4

SHA256
10ebb44e576692525744fd89d568f8337ea533e5cd6bb4b32f80013ccdfaf4ef

SHA512
20a8deb3544a62693544cfe505301909d19f9f5440ba59e1f2e3a1ca162c656561af7d259a64407bfb70f34c166d2f15abe3f8ee8b381c15b06c9f3792f896bf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b58efeac981269feeadfc2826cda6d96

SHA1
b1c325a1fb8c976520ee020e0fb83da338887e93

SHA256
4e8dd230aae235228b3b595128c9ca1e4949b834df39a3927e91befd6b20371c

SHA512
9b9a8953f8206505265da2e842d7d071a1a855063b67dea30ab37e8f881ed6f88438fe07cb6f3c29aef61ffe83410de79899dc0d6ef64cdafc3b3f6fdcbe17ba

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ef9b26c9ae14afcccad69e545d57215a

SHA1
97f997fbcc382b2b3ee58b962885d74512c42d07

SHA256
59cd319ecc11b54ae8d5b9b374c497cdced4595ea5bcd8b99e8aa23a38cc19f4

SHA512
114b29548455a56619a5513e305d696792cb168f2180371467e0decf97343d1666dc4264f1f95d128a979260ea369222e95860241f00217760730171d59956d2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabAA29.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarAA3C.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarAD31.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\bpl9E14.tmp

Filesize
156KB

MD5
ba0a84c21933afc2987944ce980a66b7

SHA1
0c876a3b6b270e18b4342cf77aed7552aec75c5a

SHA256
f9519bad3d1e6fe82e63015fb89bc0831441ffe38ea5251160f4ce33f4b36603

SHA512
e5827fc43829ee0c3285fbe24ffd3733373c273b7d9351b2316abd8f57a0c8db01d199e160adf0c8dcfa2989128f0d28a5729546887f2d367364811facc4a596

Download Submit
C:\Windows\Temp\www9E81.tmp

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\Temp\www9E81.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www9E91.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_8de61c91381db406ece5f3cc242c4060Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\xpl9AE8.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1372-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1372-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1372-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1372-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1372-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1704-50-0x0000000001D00000-0x0000000001D73000-memory.dmp

Filesize
460KB

Download
memory/1704-4-0x0000000001D00000-0x0000000001D73000-memory.dmp

Filesize
460KB

Download
memory/1704-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1704-8-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1704-33-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1704-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-34-0x0000000001C90000-0x0000000001D03000-memory.dmp

Filesize
460KB

Download
memory/2208-1062-0x0000000001C90000-0x0000000001D03000-memory.dmp

Filesize
460KB

Download
memory/2208-1385-0x0000000001C90000-0x0000000001D03000-memory.dmp

Filesize
460KB

Download
memory/2208-741-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2748-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2748-45-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3004-13-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/3004-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3004-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download