ramnit | 689084f514517ea1adc0dcb0726638ef0ad9f2abbc6cf31edc2e1da3abe6959a

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Size

2.4MB
MD5

05b796d3d42d42b66e2ffe37ef1da036
SHA1

5b01f441f58ad8c228bf3e57e23371afbdb06c81
SHA256

689084f514517ea1adc0dcb0726638ef0ad9f2abbc6cf31edc2e1da3abe6959a
SHA512

51ea73da5ab1acba85d609c05cfaf7e56ffdb08c3f12e85de4c108381019664fbf1961080c235235bc094214ac561450fbac633434029d7355eb37e1a09b26d8
SSDEEP

49152:S6fC89U3qlVXqfKANO31r2MlS+SW26/dvUmDgGf3eNG4igycv6peq:SPQUwqfJNYr2Mw+Sm/2mDgGf3TZpe

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	acprotect
\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exeDesktopLayer.exe

pid process

1188 05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
1696 DesktopLayer.exe

pid	process
1188	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
1696	DesktopLayer.exe

Loads dropped DLL 7 IoCs

Processes:

05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe

pid	process
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1188	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe	upx
behavioral1/memory/1188-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1696-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1632-7-0x0000000000400000-0x0000000000707000-memory.dmp	upx
behavioral1/memory/1696-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	upx
behavioral1/memory/1632-27-0x00000000748B0000-0x0000000074DC1000-memory.dmp	upx
\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll	upx
behavioral1/memory/1632-41-0x0000000003400000-0x0000000003507000-memory.dmp	upx
behavioral1/memory/1632-476-0x0000000000400000-0x0000000000707000-memory.dmp	upx
behavioral1/memory/1632-622-0x0000000000400000-0x0000000000707000-memory.dmp	upx
behavioral1/memory/1632-625-0x00000000748B0000-0x0000000074DC1000-memory.dmp	upx
behavioral1/memory/1632-627-0x0000000000400000-0x0000000000707000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px18CE.tmp	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
File created	C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3243D01-0585-11EF-A140-5ABF6C2465D5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 64 IoCs

Processes:

05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}"	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

pid	process
1696	DesktopLayer.exe
1696	DesktopLayer.exe
1696	DesktopLayer.exe
1696	DesktopLayer.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3028 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3028 iexplore.exe
3028 iexplore.exe
2868 IEXPLORE.EXE
2868 IEXPLORE.EXE
2868 IEXPLORE.EXE
2868 IEXPLORE.EXE

pid	process
3028	iexplore.exe

pid	process
3028	iexplore.exe
3028	iexplore.exe
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1632 wrote to memory of 1188	1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
PID 1632 wrote to memory of 1188	1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
PID 1632 wrote to memory of 1188	1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
PID 1632 wrote to memory of 1188	1632	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
PID 1188 wrote to memory of 1696	1188	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 1188 wrote to memory of 1696	1188	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 1188 wrote to memory of 1696	1188	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 1188 wrote to memory of 1696	1188	05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 1696 wrote to memory of 3028	1696	DesktopLayer.exe	iexplore.exe
PID 1696 wrote to memory of 3028	1696	DesktopLayer.exe	iexplore.exe
PID 1696 wrote to memory of 3028	1696	DesktopLayer.exe	iexplore.exe
PID 1696 wrote to memory of 3028	1696	DesktopLayer.exe	iexplore.exe
PID 3028 wrote to memory of 2868	3028	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 2868	3028	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 2868	3028	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 2868	3028	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1188

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
f0ac8a0938bcd4535f77b9c4f19fb280

SHA1
3289ef92ddf662978fd6223827de36262622b15a

SHA256
5c3edfab9407013d862689232844fab78a1520b6c0774c67433384f5aaaaa786

SHA512
e50b17c6262b11cd5d5f04eac633d76a0e861a8ca9f530d4a49e89ce759576b9c889acb00173c2e26c74af4b2aa8e414b741786545bafa595fa1ee43f503adb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f200ca8c2d898f3e3041604f6e68d3db

SHA1
2f579b85cf3f1af7fd1f7ee5d7643bb0aeb5e46c

SHA256
50e3bbabd5aa6418106b2e543521daa60caaff531adebec1414c734dc8abccd4

SHA512
a806eff49d1091aa276856d3bd446bf30aae08a36e41dca314f864f6e0a86114ff910478685c8d6b405ece5de03b111a953043984e32c441d642624a01d1ee79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1f529e662a06c2fb0bf5df96836c4ae9

SHA1
608adb1d7a9624242696ae7552cb946671f324e8

SHA256
774b962b58b33b651c157b147df6856572d1a89087fbd9d67af76ae972957e49

SHA512
c87c6829318f9bd5b99860374c4cb1265831f75d98417b56f94a9b5dbe6d34d38711bf6c248091b160b0a050f6c0b930ddd543eabdba44bd25ba22a6b4d9d2ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0e5d1b63443310e4686e03b263cec419

SHA1
74ffc6dd11a9355f1f85d22648cf18e2f864e5b3

SHA256
57e71440d4580ccee01a0859ec54beaf8267ad3fa512ef2907b147788eff8e51

SHA512
aead99d24526f3b82091cce5cc73dcaadc5831dba7f6c28dc1b669884597aaf43911b5d8df98f4abf8d718a7d4dfae2d9a4a190373d3ccdd05e0c131a019a17f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4461f8a6beaa50d3981b5a24544bca40

SHA1
1497daaad84d429091c83aa02f1c92aa98ea2807

SHA256
a5b78010f2c16dae9176160a7d4b471e4bfdad614d624fab1e2de8e488eb90ea

SHA512
2621b93b4025c02a2cedd8bb3f67e56d461f3564b462efd69d9852e2453f6ae48dae37fbbcdb566bb508c70ae926774832e45dedc34d288a29645023d498a5f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
67ee5e82199eba521d6c9a67098a2c9d

SHA1
c86da620645d2b300f6d7df582d877a1e59111d1

SHA256
f6ab6cf10d34c793bd195e663a044ea5aa7f578213d774d31f1c088b713b54aa

SHA512
3d402fbc7d5dd3ecaf285ab1aae23baa751c51b402348026366c00b014eb5bef9611b090dc8f25ecf2993a7fe2c63f59acb3984a41503f400ae776b9de4acb2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ad48679d70324bf97c7bd26079adbb5

SHA1
38bba34ef0cefec1f4c8364cc382ea85e2102ce5

SHA256
bb58ff4764bf85940918831d043cc665e8a6a52b1aa567b8154b00de8d29cc9b

SHA512
5f06b5066a3451578b0a00b03fd341fdfe7e787190b559e0e72b1b18f0a12933869294586cb400b5ec2ccbea47cdbc024ad8d576cbaf16814afc7097512927d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
35d27a94fa76a3e2b1294a8e9726c734

SHA1
65718b48ee3f2535885d948bc41ab467d2bc388b

SHA256
20c0afe452b452ed0bb3e94bb02b0e3d7e51f591563beeba4e1126ccaab9b4db

SHA512
2cec331e37db4b5ade712163368f76132632f001b618690e2b2f0417468e50c461122c776d9ab5ba4c7fd092a69925c458d945c90fb9be21f408a14ab2ecea0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
21c04619e605cdff447847785df90096

SHA1
6c1708ba3ef18065e39205387fa0e7155794c552

SHA256
b586f9bbcc47d0bd84e7e758170a7a3ebc57233404f251968935e4d6ceb97ae9

SHA512
646e6876d6af6255014851d4639e6a2553bd2e65f7ee51234463666a1e346da8e2bf50fca6c8e2fa6ae53434dbcd34263b0d6010192b60dee4ec046b1e1dc086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
45b8a149c1d12e1bc9e885aa6755b9a7

SHA1
10a8d3115a24f21629c3a747c55c0b36214ef7cf

SHA256
f2aae2073ab1a6e051d5f6bb9f1d459f57f3d13b824955a3a0323f721605bc07

SHA512
63ca6fb46dd6f113711531fc14da41577530c98aef38cc88f86bf8ddf37e05863e8b5e1e51ee031826e3533da493c7ab53dc3e33465b300db214b1f9b22918d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\05b796d3d42d42b66e2ffe37ef1da036_JaffaCakes118Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3385.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx
Filesize
1.5MB

MD5
c6225b9315cc32553399c259c354011f

SHA1
3c8a08be54464151f666381c5ff0772b5073a951

SHA256
fb44c6a7c22f1ff588bca39fec8cadf6d7fd99374b96970adc4202454cd0673a

SHA512
f08bf619e5cdcf5be0250450ddba2a993c95b463211b1a2072f54d497556f10518851f5cfbdbe3bfc106567c553b347d6ddd0897f094eb4dced2b0dc557239d1

Download Submit
\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll
Filesize
335KB

MD5
0b11270c32657df207a40d0ef02e07d4

SHA1
894b3a5a4edeecb6e9a7fb172570ff6c6cb63ec7

SHA256
60a5fda3a85bc29cd94b7e1df6aa613353b31187bf5a9b30363d8dc6f1dfa202

SHA512
3863c7fbc250e9754c5a053dcb0a4e37ac11dca65ba8ee25ef67b227d9df1f00eee538f524925dad286abb12a34a6d39bc1eebcff3380f56381d633693f66573

Download Submit
memory/1188-9-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/1188-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1632-27-0x00000000748B0000-0x0000000074DC1000-memory.dmp

Filesize
5.1MB

Download
memory/1632-623-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1632-43-0x00000000748B0000-0x0000000074DC1000-memory.dmp

Filesize
5.1MB

Download
memory/1632-41-0x0000000003400000-0x0000000003507000-memory.dmp

Filesize
1.0MB

Download
memory/1632-42-0x0000000003400000-0x0000000003507000-memory.dmp

Filesize
1.0MB

Download
memory/1632-630-0x00000000742A0000-0x00000000747B1000-memory.dmp

Filesize
5.1MB

Download
memory/1632-629-0x00000000748B0000-0x0000000074DC1000-memory.dmp

Filesize
5.1MB

Download
memory/1632-7-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1632-628-0x0000000003400000-0x0000000003507000-memory.dmp

Filesize
1.0MB

Download
memory/1632-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-476-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1632-10-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1632-622-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1632-44-0x00000000742A0000-0x00000000747B1000-memory.dmp

Filesize
5.1MB

Download
memory/1632-625-0x00000000748B0000-0x0000000074DC1000-memory.dmp

Filesize
5.1MB

Download
memory/1632-626-0x0000000003400000-0x0000000003507000-memory.dmp

Filesize
1.0MB

Download
memory/1632-627-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/1696-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1696-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download