ramnit | dd89e60836ab76b394b6e24ea3d8af2591851326e248782d1b70e7a4b5f7c19c

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
Size

52KB
MD5

ea9c5fdf54aa9f5b1c32b16caa5fbc91
SHA1

85772b888048b5185d9fa90dd477b8f79bb7adbb
SHA256

dd89e60836ab76b394b6e24ea3d8af2591851326e248782d1b70e7a4b5f7c19c
SHA512

7aa8b43054c27ac68634211d76e580f6bef54c84fe7bdf9a2f52d0d7dd8862933d154309cfd898ec79687a1e7d2e1c61a47bd7b20743f3cb3d530197cf465ad2
SSDEEP

1536:/3jv2srzVRv7Kf4AH+pdcDJVoYMeKTn1:/isXjTuoaD6eK71

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2128	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-4-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1948-2-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/1948-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2128-16-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxAD9D.tmp	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432882997"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEF11921-7641-11EF-AF9A-46D787DB8171} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	DesktopLayer.exe
2128	DesktopLayer.exe
2128	DesktopLayer.exe
2128	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	iexplore.exe
2816	iexplore.exe
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
2128	DesktopLayer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2128	1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2128	1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2128	1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2128	1948	ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2816	2128	DesktopLayer.exe	31
PID 2128 wrote to memory of 2816	2128	DesktopLayer.exe	31
PID 2128 wrote to memory of 2816	2128	DesktopLayer.exe	31
PID 2128 wrote to memory of 2816	2128	DesktopLayer.exe	31
PID 2816 wrote to memory of 2556	2816	iexplore.exe	32
PID 2816 wrote to memory of 2556	2816	iexplore.exe	32
PID 2816 wrote to memory of 2556	2816	iexplore.exe	32
PID 2816 wrote to memory of 2556	2816	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea9c5fdf54aa9f5b1c32b16caa5fbc91_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7e095ef5b7d1df6ff8fccc6672c4fcb

SHA1
a980734d3fedc656699a920b15784ec9bba9b6cb

SHA256
1e2d95183080c3d6a40906e7a328d3358aab79bae453f003b96b179ac6038152

SHA512
58d10749ce675c243edf818ee448c35223c0d2312bb50e0b67a5d9e727ab46479adf372c164155c2e3793b530725f54de247e783f5e5bd9ad45cfad439624829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3c7712f94a4d35faff7665ada0aae81

SHA1
00fcf1bfb57ba2a54b2b8d7369c800a1d3a8e25e

SHA256
11920489be2491320a8bc5a9c9955945e894102ca5efd57118ab61f9f285c53c

SHA512
9717afb9647f74347d7ea575b16381a01196f47b907fa2daefe6d149eb31c568fe5a60c8e88c4e47524fc1e8a908777b6b05635004a5ce08cc13d6f31b2780f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae31fc17cba3ab46565fd68f90c5da78

SHA1
cd86be111da6c28a5f258a4f82e4fc832b7470be

SHA256
31f94b80c180496e22fb68861fb7d8285c3d795a79bfcdeda64857fcda93afd3

SHA512
221b395e1168dece020c104610eabbfbfa46e10feee74687acf0ee9d659085690c0659c57daecaba2227a2f7d56abaacbad2da04460e98cff7a04b782431f886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a30563a785e9241a2916296230fa73e3

SHA1
60fc9fb0311cc0d22d52cfb8845b4cdf1c77f6f2

SHA256
a87f6f1b444c277f504d2444b26cbcb73cde3bfb2ef25be339681aac1ffc5add

SHA512
40a68de65acb608443caf3b0c2e5d1901ea5661ccbb41370ecd1c07f90008bfa1140b511362cea95470cf278f033ab37ab1baef7221bddd8404692f03eb9ae17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ce8d15df619fea7c6102b049d926abb

SHA1
29b6fa7a28edd1136788247a2c686a4375c49acb

SHA256
f83db06c81fe0ffac42572c849d4ef95268def43ed5330e2041e51c9380ff824

SHA512
3bc195a046491a7330d84c57eb3cec4b585f732fa1dce1bcd1be9e8e96f7791c51a3cdc1f295f9b98cddd9ac2efac4e83b12509dff386aff263142c86c483313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afe05e3ded40e1b5ae5c4003e953d73d

SHA1
7e4a4488a5aa91a98a432ce42c6ea6c3e8f3977a

SHA256
06e0eb238d333bf26d33d90e25561c68f09cc26c5acf4ab8d6e3f38929028fb5

SHA512
9df6e53980c57d4bf33ae06a024b0c1cb970f3b771cbcc4e6466f16f5bd2f4cbe688ba0c97d97b4feb92f737f034344598c67e28e721c78b47fa5901d82d4f4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8b18e4405167cf553112c4beb2b1b31

SHA1
5b6941412a89a05bb5b4386fbc25cbc7a8e1c648

SHA256
338a41a2a5fdd7127a40ce4cff822f7d93c34ea28ca571661e9930a62eb72b8b

SHA512
2c2b2a689a1c394f4d1260eb5675047123189be1b3ddc3ffe474f1995c41345de86b6262a354bdf86b80143c0bc728c5a0896f01cb6de1007ca6a5528358da71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9989cd79f63f9bca48fd115d6a2e95a

SHA1
fbe3e58c0ee9041bce70c18af5d880c143551cdf

SHA256
9b6cdd11b9046494528de0a3b05091a5c61e26dcf3ed2ca630ba2b8993683f5f

SHA512
0adec94099230bf783c20740c58b971ff288356f1532a5d6f07be3175736067252ab42bb178a633246b6e5dbe60770a64e30aae6c487c828fd5f60c716c78c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c389942407801d5ccf9c93c3c1ece17

SHA1
ff5431906d0de1b6d0cdb44248502d59f11a21e5

SHA256
7458c5da7939920860cf8e44cf1dc1627a935e3586704d342b0d9e48fa172478

SHA512
089b8215446212b288ac9ca561c0f8e812a12a97c4f6d3d4f46b72d09a2e3740940e7115f1723928f303c1d4ccf7a1452b3ad470291bcdd2661cf585622adc91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3587da6fffeeccb65e046dee3443e88

SHA1
a18fdc68ba4da3771fcd08c60c789089334e9748

SHA256
8e6b695f293f25a7b64f14fe1346b0ae363279ffc3082f41ba029c078f953b75

SHA512
697c6d2ce7f48c0d3d5a6a6627111c4cef478af6e5cd1e2ae915ed48d021c7c895daaa732dc4a82169f78504d18eb7d001c23d075da96fdad5d8bb13da37fe76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b5693fc6adedade5fd3ffc8d4909abd

SHA1
c2d1897529fac3bd52ced4f2af873739e47c15be

SHA256
f3e3a8920327e4b1f5d853fd5d693a9e3fa8a88bdad7a4afc702b6abe466417d

SHA512
a0454864a47b92919d1d470d40c0683b880dad5bc2045792f93c1187bde004a8606cd8c2b583d2088788d1486490f029999475e862cfb85ca51522ee7f8b4479

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3acf0f75310bc4d6feedb7c575097f4

SHA1
056dc9ea48213b569950db8b071950834408dc61

SHA256
6c4e276995ca176c7bbc4498fc243a6705e07f173ea327379db78fbc7468fc7b

SHA512
b41c51fae5efa67529f6446c364b9da1bb182c7af9131dcfadd55c464f21bc4861fbf59571d8e93b43c6235ccad248a2ad1cc971c7f13ff72bebedfb211aaeb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ce4ec75227c5d78f684b3ab5e3c0644

SHA1
55d6fb485b2d5f480329615597ae9dffe25915ee

SHA256
3aef74e3366f5b4a33f073dd143b8f45fd77fbafa1a9143acc329b81d6169e19

SHA512
90ff96bc16748cb76b9d7447f85cbe2961ba1a7125e4232162751d57e11f056329cd226c9dd4985718a6a5acd4de893ef30714cee7ae49ec0b8c983c02482da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8f8d9b53307525cf13588d268952f23

SHA1
826069602f44bd370e48fbd278bd7b0b60ebf261

SHA256
815461848d79c9fcc87de8e3e3c677ef259b7f38b0f26dbb1c5cfc16158b8ab7

SHA512
7526665233896fb8992e088a1e878c094be5149f718899e586fc014c78ed1fa03d43578abac46224cf647f7a68f80e3782ebb7097a095edab85e22c9a4a557a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7886a9633d506318e8887e99b29b927a

SHA1
7f348ac0e4a043c3190197562f1d8515aa7040e1

SHA256
c2e9592de67e2c14b4687bfb3c8fbd186cc3b4483fbab307942cc82bbd191965

SHA512
c9d4682e3be0bd38ba10748dfda9e0a18d807544fd64cad4ac791083bd373601db0bd86801e5d4cb5cbfbe71fe00778007607ceff53258e9e1345f889b937768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34fce0e54eaa9f0b1457598da0db2f90

SHA1
ef4d1af4f52468c4ae26af0ead4bb942ed6411c4

SHA256
32c8b0ee61b8259b35a3ae7c51658eecf80839dae3095df6087b6b6e4e2d642a

SHA512
5388c1cc3abe3cda7edd6f8fccfbf6a38e2d4e1231838416359a61fa5bfabb25233b3a73a0210a810f0b196c5c38dccd3b5702e07bca0cabe61d72ac231f6c87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79dae348e5c3b4d317acd650dbf8fd6f

SHA1
79d0128ad815cb65834f200c5b964f671ae14b98

SHA256
edf1cd57cf549c9d64e3a9273876987c0f9fd3720d212e80cd78348c92b59c17

SHA512
0cdf9c48e71d73d21a4f49444c9fb0ee81540ede1b0cb1ac5291dcb91cd54143fbfda11cc1d4aaa9fd5908a6c7891a6f9d4d1420efcff11f49ff45e41e0b5dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f8b9d6992e18fb83dec2226f0882fd6

SHA1
5630bbe99cffe34e28cee8fd4a326a31f3732c50

SHA256
6776adc722d3715d3e7dd138a1e2ffd16253da0851b50a61ed17215319535899

SHA512
196a380827fb1cf6e7bedea49d84192a0750d087bc15e61347294401e0f0f0ae910ccbd3b162accefe8a2799f1aaf155a5b53d581086fdfa6bc14e61673c1434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fbb4ee9d68b0701e7c96b8dd424342f

SHA1
392a3a36fb7cced3bf18e3fd94d849043f767b71

SHA256
baff787190eb6df21df90a3082d0285d0558bd03c305487c3c44b2297336478c

SHA512
c1345038d770caee8893e75b3066805700d1d0f31d158d3dc563ac3f4c9a3a483cc056e99dfe9e74b5aaa1c5b1edf95caa4c415492e938b8519f5c07c6fdb9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD7F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE2E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
ea9c5fdf54aa9f5b1c32b16caa5fbc91

SHA1
85772b888048b5185d9fa90dd477b8f79bb7adbb

SHA256
dd89e60836ab76b394b6e24ea3d8af2591851326e248782d1b70e7a4b5f7c19c

SHA512
7aa8b43054c27ac68634211d76e580f6bef54c84fe7bdf9a2f52d0d7dd8862933d154309cfd898ec79687a1e7d2e1c61a47bd7b20743f3cb3d530197cf465ad2

Download Submit
memory/1948-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1948-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1948-3-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1948-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2128-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2128-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2128-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download