ramnit | c1b09697062a271270f23287ee6309a51d771c4d5462bab20c5207cdb8ceaf48

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 15:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
Size

10.1MB
MD5

0c21f7f98acbb24b4578920510bc705d
SHA1

e54054a35f4cc042fc359df9c9e3a37459ff35cd
SHA256

c1b09697062a271270f23287ee6309a51d771c4d5462bab20c5207cdb8ceaf48
SHA512

c8f4e380c886fb532614857f94928b8c2d561cebe15bf35cbdaa368617b4fa5d68e29504e247ef013193dd162176d9cffffb076e8045f8b2a66405926e396420
SSDEEP

196608:oQcbAFPlPrM/2V02H3U+T5AN3rO39DtEAbFzeORA9hb2GBnVDx4gTER6HJ:oQcsPJ42vU9Nbg9Dyhb2Gno4

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 7 IoCs

pid	Process
1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
3020	DesktopLayer.exe
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2952	DesktopLayer.exe
2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2744	DesktopLayer.exe

Loads dropped DLL 27 IoCs

pid	Process
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
3020	DesktopLayer.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
3020	DesktopLayer.exe
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2952	DesktopLayer.exe
2952	DesktopLayer.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-9-0x0000000000850000-0x000000000087E000-memory.dmp	upx
behavioral1/files/0x000700000001418c-6.dat	upx
behavioral1/memory/1748-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3020-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0007000000014251-28.dat	upx
behavioral1/memory/3020-48-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2628-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2172-45-0x0000000000850000-0x0000000000871000-memory.dmp	upx
behavioral1/memory/2172-638-0x0000000000850000-0x000000000087E000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFD9.tmp	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxEA1.tmp	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF2D.tmp	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE62.tmp	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F980871-07CE-11EF-8CD1-FA3492730900} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420738575"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F9A69D1-07CE-11EF-8CD1-FA3492730900} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
3020	DesktopLayer.exe
3020	DesktopLayer.exe
3020	DesktopLayer.exe
3020	DesktopLayer.exe
2952	DesktopLayer.exe
2952	DesktopLayer.exe
2952	DesktopLayer.exe
2952	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2860	iexplore.exe
2860	iexplore.exe
2588	iexplore.exe
2828	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2860	iexplore.exe
2860	iexplore.exe
2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
2860	iexplore.exe
2860	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
2588	iexplore.exe
2588	iexplore.exe
2276	IEXPLORE.EXE
2276	IEXPLORE.EXE
2828	iexplore.exe
2828	iexplore.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1748	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	28
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 1748 wrote to memory of 3020	1748	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	29
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2628	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	30
PID 2628 wrote to memory of 2588	2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	31
PID 2628 wrote to memory of 2588	2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	31
PID 2628 wrote to memory of 2588	2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	31
PID 2628 wrote to memory of 2588	2628	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	31
PID 3020 wrote to memory of 2860	3020	DesktopLayer.exe	32
PID 3020 wrote to memory of 2860	3020	DesktopLayer.exe	32
PID 3020 wrote to memory of 2860	3020	DesktopLayer.exe	32
PID 3020 wrote to memory of 2860	3020	DesktopLayer.exe	32
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2172 wrote to memory of 2568	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	33
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2568 wrote to memory of 2952	2568	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	34
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2860 wrote to memory of 1600	2860	iexplore.exe	35
PID 2952 wrote to memory of 2828	2952	DesktopLayer.exe	36
PID 2952 wrote to memory of 2828	2952	DesktopLayer.exe	36
PID 2952 wrote to memory of 2828	2952	DesktopLayer.exe	36
PID 2952 wrote to memory of 2828	2952	DesktopLayer.exe	36
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2172 wrote to memory of 2776	2172	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe	37
PID 2776 wrote to memory of 2744	2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	38
PID 2776 wrote to memory of 2744	2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	38
PID 2776 wrote to memory of 2744	2776	0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe	38

C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:340993 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1600
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:5649411 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1808
- C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2276
- C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2828
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2120
- C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e40a7e98cee2b6f8b7d411ba7d913c2e

SHA1
fadf7a68ab40c6f18c477f15987aceea5fdea14c

SHA256
4adad7d42eb3e461071bdc576bb37e04a7929cba4263d9b77587abfa9bee1b7c

SHA512
6a5d1eb5d7e582d3bb182f9bf366774b03cee2dc5545f64826b2738631188c19368abbd0dd1d1df2e0591c4b2b0d5e6753b59555209880f5d11079ee7770050c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4194037780211c3e1bd7cf5b53d9f0f3

SHA1
98c837628de06fac5d0cbcda958e4c6f59ee5340

SHA256
c600851c871c9bb19bf436e0b576a5267257bf6592a0d3c226582f096e2b8fba

SHA512
e3df36bb8bd6e66b309a314279ed23c86dc963602dd1e9a8278408fef3ec0b20e9c022daa1720240094b6dfbccb9c8570b9ce69295ade7410aa8168769c964f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22daeac0f7e5c4028c2c59d5bd4f9bb0

SHA1
904b9fd467cf0a3c87741c2f47a0a173758d0772

SHA256
10a73068c3829078b46cd9e1ba555646011f8a421e99890fffbfb30f0536841c

SHA512
2a5043fa41de7d0aaadb85b9ecc5497730b003b5baf5517dd7f3e84062e28c310e9e8e93035ab527cdaeed701cd5fc766be03d7bc8c4074e3b54c1833a273f02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31b1b4cd30c1a55b1bf2c40e083b4457

SHA1
f4bb027957ee64e12ee5c5bc2948b90cc5e8ed85

SHA256
3ed812a24db0abd9bb3a2b0bf495723919c2bc1e4fcacd307603e674f176080a

SHA512
ed8a11b1aa5d35313bc2f3fc86be625c2d03cbb5db3c665398dc08f8bcee1fc264df7c952cf0ab4dd18cbb5b0a85f492ddee3b8629d52cdd4f52f4b9196d218c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48890a67001a19f4cae30cda602d7b07

SHA1
bb9c22880b74fd0495aac3d5a2fdce764c9a14ad

SHA256
f86b5f8c0cec1dbee986ddc26bee10f6755a51d47c2c54d1ea0920b20c545106

SHA512
1dbbb366bd5c719890991028b4011c8b28627af32e81f058445f1fe26fb535d42a055740375d85d0e755981dfac23ea1c3c5cd1ea39402fd73864a5ff1634bf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ed78aac39a6bb16f104fb8336cef9d9

SHA1
80866c8914a9c87d1104a1186af38be8967c211d

SHA256
60f3692c8980c66d2c4880d62b42346fc963e9288fe86287a3d355e34496c8fd

SHA512
2eeb0f123796a97f2db9529950737c28ee2d16b3545ccb391cd53ed6bc6304c992fbb08c531c545f8c74c66d0c8fcf4e8b27c4333da6ffad7067dea2f0629bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
962786d959b6a8cce476bb890d8f505a

SHA1
56239456ec817d8ce2b2a2935f4a857abcae4f4d

SHA256
dbce3fad802afdf6a020fe2de4bc21e034cb26e1b0fbdffcee022f0f9f1555e9

SHA512
f3c2c6662eedb39deeefdf7b13dc8754758a2c6331e1d6159c018351182bb14789af39a959560f4ebbbbed50839e4904c31bd29e11282a0521847ddce4e07512

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f210310c7cba1679bcb02e4ce52fc027

SHA1
fbf8a2aa27e9147cc163b06c99129ad0c93bb4db

SHA256
b9d8ea97903caa57046e8eecf881c13cef5ba73feafc8c6b8a94030dc45d10b8

SHA512
92f00ba2d409a93474456f5944f7bc42bc37ce0cd656ceabfa005d34c062ba372cd8f13be13ed06a31baf33a65a118d92e9d92d0ddaa2c0747fd25b483bff5c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1322dd69830294147c18acbd54b6202b

SHA1
17d5b7a61825985363e48cc3fb2e1121cfc33e6b

SHA256
d9766741947a80bf608b71260dcca8126afed5317893bd23a4ddc5799d01fa5f

SHA512
134beeb11e3574ee5821d2de82aca3b9379f14a12be903a7a996cbd78e08a3fe011eb3116671cdd2a5a5b14bc6a5076b703730bc09bfa6b29948b4ba797372cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42da93a2bae688f1b26ccc534e57d2a4

SHA1
cb121c8a52688b93b42b2707239f160d0e9bd2de

SHA256
2f2f3492dc77f3ff7464d702c7956b4f714e50d2470f56c40b5c7940f74a64a3

SHA512
c93c6a29eebb65b2995fd16a0cb50f869547bf480e639397ab58972e0925db4be85bf5da5e06d6f9e00ab5d107940e16d9808c42fdc41b7215c1421f56a431f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23f107ea8908c5dfca2f4df2afa0a504

SHA1
e2a2bddb8f9fdb85ac3febd0459cf2daaeda570d

SHA256
56e634410ed4614d8e5543161a6ca4a54f89100a7c4c02aca380b633b990a833

SHA512
e2da5b8cd9f4cd6f224b6b3cc231f4bacc394c290c2368b11ecff7b71c43ee91449b6e47a0fd830a8365f685cc420ac99a97ccc72cd01adec3a702e66fbb291c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
def46de1b6e39deda42a0984cac4ce78

SHA1
26ca640f5212cb2bd93da2b15db8ad8a8497e15c

SHA256
01acb4805e1c75195a8c12dcd93ca2bb7ea80de3058ddb3586169113e5cdae9e

SHA512
50a01a1e1e1249d8e987e36ee7a42972b8c66a870a88659ee2019154e389465035fd745a7d2126ffb5390b3aeb7404b12658c3b578d57455cf86b4008c2f63a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1bf9d23a0b4bb13cf504eb0f0fbc294f

SHA1
51aed5a10b055af0c3bfaef1403934297944f11c

SHA256
bb238cd7a109ae8c6ac881182b9800ccccc9e32eda2b6e6e8cb63e94ed8a6b6a

SHA512
fb8a16d4d6a03329ef808a5baf7844fa1867d6a790fe518de457d2896052fc7b57785c5bceeeba7fdd91f96e03826d8b5ea15d2684c7b97c6b90e04a375d054e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a82edd51d2c7ada27aff4d8899244db

SHA1
97505cc7cf083228b5ad84201758c5a261772ad4

SHA256
b43327112481eb5dcae8536db0b2781d72e8a9ae18fda07e2913774bcc2d0955

SHA512
6a15ea4c826c43f3168bd0783f7bb53656bac07b56c81d2e4195134a140fb8201859f07e16bb6268c1cd7143a4a2960f2b5d6fbce406219c30dd75ebfa62585a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e240ed9ea5b64d7f6d6e4558dda66110

SHA1
562020ab8889b94b46aa272fc721ad053e8b6972

SHA256
0ee74be99c1951e4342f3b823a68695954c21ee5d76571e19d83a49c21084593

SHA512
a2fbe9fe8dafee6c217c6b9ac1ccabdace6f12777c5eedc278977ef62f70eb3f522e74799cf95b5da70a16444ea63c6e11ce0f04316689b163eaf4d17d81ba68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8d5e605717a902a00029c5007a2acbc

SHA1
895857019d8d56ffaff2d2452e08168468133ce4

SHA256
e93c4da95d8a54fd836b577e93bdd6f43f58045054c630307ff09fabee2ed321

SHA512
85d6c9381ad153e46fbc2691d7b382d8538a1fbc07ca45cefe77dbcd344adfa861c576504d0d2c580fbb2c36f8826448234541b690aaf24301b1ffc48c64437e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cdd2cd499f35c555a4a8da6d2257d6ce

SHA1
ae68e0864bb1fc89d28732bdc7156f125b6b0a74

SHA256
49d6a5ee3e51da74b7ca174997a28cf99e75c9281ac16559fbc442b43c7ae6aa

SHA512
816c48ce1f3cee78907d3b0e3c2558fe3568ad4c9fafc6b9f36e0bd15274f68ea824a329291cefde70bae31eb10580ea62c42ae4e3f458ac8e46203a7075053c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5b0133fb589bdfbd02f7d2c29ab91a0

SHA1
71ab04aa7a7fba304bb9a45295d48e59c4e41638

SHA256
ed3be644b367ee68757b0c6f46bab82455ac2b9c626345f05c0a44c912cec822

SHA512
7db8668d3b37bb488b73bef9093e0b62f63cc1bedfb41a3724314025ef7ea90bc4f250e56cb4246d87958fad16f45a830e79052c47a845d230c798112f55cbed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e614322f286f4966b910d096b9de872

SHA1
10a1891ce3cea5de95bc3eae094efa4f2ff11e8e

SHA256
fd5294f2b035032180779cb74cc057a13ed676517ececbd8841167c94ae66792

SHA512
f8f3f4bc202f8081251d0538f882dece95cb155f82f2529efda73f0bcc9fbf9cac01a9995b73b5e1c2f7583c77654d5743cdf5553f4716418c7999b32c508212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F980871-07CE-11EF-8CD1-FA3492730900}.dat

Filesize
6KB

MD5
d42bb79ab4e6a9aa3e0cb9ab607939a3

SHA1
7904f9d7ef5cbeb979b66988acc10f8292bcf0fa

SHA256
957c72090745ee2542e1026046104a510a4a77dc3aa5389b36aa69894691fd62

SHA512
037ac35873b4c5937c4fa48dfc43116e96e587ae6de0ac52327c8ebf953293c4c4f1e976105bd2bd7caaa0da86550399697f1684f919f37a906c06dfefa24d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F9A69D1-07CE-11EF-8CD1-FA3492730900}.dat

Filesize
5KB

MD5
e89527c0e52e5271738762ba36344abd

SHA1
1a875c6759145dd641b8275f67ec7b6a51b74b0f

SHA256
7a0efbd6a25f2083185e199ec8d2d8ea36a46e91315f01146dfc02942d148470

SHA512
8d00802504511085e7ddf52cf7652924fec174659d5994907bc7d9f505c6fdff985a0fe691d6a31fe2d77995c6fc479228279fa9cb0882bdfdbf8bab624be960

Download Submit
C:\Users\Admin\AppData\Local\Temp\931399\GMSkin_Image_2012_v1.zip

Filesize
388KB

MD5
a1bc3b1cfbc2bca222149f1c8e035fa9

SHA1
3b83e21d38de489bd1aa4e875a3c98f58095ac8c

SHA256
f3d7906579bafe366da8f1779a34a103412fb1122cc38951ab2173bd3d6289fd

SHA512
d8bae9cf73ef484b10b84c386b7b311be5f5a07b2c38808d64fffa695fda7bff35b24797c179030a5a5ad30883ee4212236c40fb1020dbc0f6350f86ab7b4572

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25DB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab26A8.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26BD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\0c21f7f98acbb24b4578920510bc705d_JaffaCakes118Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\931399\MyNsisSkin.dll

Filesize
384KB

MD5
a6039ed51a4c143794345b29f5f09c64

SHA1
ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

SHA256
95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

SHA512
0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE26.tmp\ButtonEvent.dll

Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE26.tmp\MyNsisExtend.dll

Filesize
596KB

MD5
37e4e1ab9aee0596c2fa5888357a63b0

SHA1
a5dba8c0a1bd936dca2b6a81f2dc9a3005f1a2b6

SHA256
ff4b245fea98cedd881ca102468623a449a0b40df0c557dd8a6ea32e788d56fe

SHA512
5cbab2872683079c6cc09423a2baf7107b5ac5731f336cd237fa93a4a4ee53a127963dc0ec0dbc6168b9b3d2c3a881c7663ce4ecd84d964628dd566395d49bb3

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE26.tmp\System.dll

Filesize
67KB

MD5
bd05feb8825b15dcdd9100d478f04e17

SHA1
a67d82be96a439ce1c5400740da5c528f7f550e0

SHA256
4972cca9555b7e5dcb6feef63605305193835ea63f343df78902bbcd432ba496

SHA512
67f1894c79bbcef4c7fedd91e33ec48617d5d34c2d9ebcd700c935b7fe1b08971d4c68a71d5281abac97e62d6b8c8f318cc6ff15ea210ddcf21ff04a9e5a7f95

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE26.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE26.tmp\nsRandom.dll

Filesize
77KB

MD5
d86b2899f423931131b696ff659aa7ed

SHA1
007ca98f5d7921fe26fb9b8bd8a822dd5ae09ed6

SHA256
8935cba8e9b276daa357a809e0eca3bebf3fdc6d0d3466ab37fb2cbbfacd3a94

SHA512
9a4437ab484e4e22597c642d21b0107a063a208a582df3a5bf276466ad8d0ba9aeebac6de8dcf1372939984bb187d58e94c799918cfbe80e85c958bf0a537fc7

Download Submit
memory/1748-18-0x0000000000270000-0x000000000027F000-memory.dmp

Filesize
60KB

Download
memory/1748-17-0x0000000000820000-0x000000000084E000-memory.dmp

Filesize
184KB

Download
memory/1748-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2172-53-0x00000000020C0000-0x0000000002122000-memory.dmp

Filesize
392KB

Download
memory/2172-45-0x0000000000850000-0x0000000000871000-memory.dmp

Filesize
132KB

Download
memory/2172-137-0x00000000020C0000-0x00000000020EE000-memory.dmp

Filesize
184KB

Download
memory/2172-9-0x0000000000850000-0x000000000087E000-memory.dmp

Filesize
184KB

Download
memory/2172-145-0x0000000000850000-0x000000000087E000-memory.dmp

Filesize
184KB

Download
memory/2172-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2172-142-0x00000000020C0000-0x0000000002122000-memory.dmp

Filesize
392KB

Download
memory/2172-136-0x0000000000850000-0x0000000000871000-memory.dmp

Filesize
132KB

Download
memory/2172-121-0x0000000000850000-0x000000000087E000-memory.dmp

Filesize
184KB

Download
memory/2172-57-0x00000000020C0000-0x0000000002122000-memory.dmp

Filesize
392KB

Download
memory/2172-62-0x0000000000850000-0x000000000087E000-memory.dmp

Filesize
184KB

Download
memory/2172-117-0x0000000002880000-0x000000000291A000-memory.dmp

Filesize
616KB

Download
memory/2172-638-0x0000000000850000-0x000000000087E000-memory.dmp

Filesize
184KB

Download
memory/2172-85-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2172-606-0x0000000002880000-0x000000000291A000-memory.dmp

Filesize
616KB

Download
memory/2628-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-41-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2744-147-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2744-148-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2776-132-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2776-131-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2776-139-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/2952-89-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/3020-44-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3020-48-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3020-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download