ramnit | b111298369fa0dd2a784daa671f93dc0c5d3c0d566d39a00909fece66502da69

Analysis

max time kernel
133s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
Size

692KB
MD5

031ec4623ccb76a9884c4ce825fe32c0
SHA1

4ab1bdd87acb98e7b237161c1586c9e75b934b5e
SHA256

b111298369fa0dd2a784daa671f93dc0c5d3c0d566d39a00909fece66502da69
SHA512

ccca0649f513dafeb27f5d38f1d44fad83d7a14ac25f6152611eb4448b5c4933ac0e104b6f9ca8baa35f0124979166b94593c5f36eb5fc5dfbd36bf308563602
SSDEEP

12288:fZ5gBxN+oknk2HXsMw6x2beVaD9TqOQXUW7VV7:fZDzkCXsMPx2esD9TbQfb

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
2884	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
2936	DesktopLayer.exe
2744	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
2884	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000120fe-2.dat	upx
behavioral1/memory/2340-7-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2340-21-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2884-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0008000000018bdd-16.dat	upx
behavioral1/memory/2936-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2340-29-0x0000000000270000-0x000000000029E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE753.tmp	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE762.tmp	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441778478"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66E89D91-C729-11EF-8D2A-5E7C7FDA70D7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66EAFEF1-C729-11EF-8D2A-5E7C7FDA70D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
2936	DesktopLayer.exe
2936	DesktopLayer.exe
2936	DesktopLayer.exe
2936	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3028	iexplore.exe
2148	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
3028	iexplore.exe
3028	iexplore.exe
2148	iexplore.exe
2148	iexplore.exe
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2340	2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe	31
PID 2956 wrote to memory of 2340	2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe	31
PID 2956 wrote to memory of 2340	2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe	31
PID 2956 wrote to memory of 2340	2956	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe	31
PID 2340 wrote to memory of 2884	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	32
PID 2340 wrote to memory of 2884	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	32
PID 2340 wrote to memory of 2884	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	32
PID 2340 wrote to memory of 2884	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	32
PID 2884 wrote to memory of 2936	2884	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe	33
PID 2884 wrote to memory of 2936	2884	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe	33
PID 2884 wrote to memory of 2936	2884	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe	33
PID 2884 wrote to memory of 2936	2884	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe	33
PID 2340 wrote to memory of 2744	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	34
PID 2340 wrote to memory of 2744	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	34
PID 2340 wrote to memory of 2744	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	34
PID 2340 wrote to memory of 2744	2340	JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe	34
PID 2936 wrote to memory of 2148	2936	DesktopLayer.exe	35
PID 2936 wrote to memory of 2148	2936	DesktopLayer.exe	35
PID 2936 wrote to memory of 2148	2936	DesktopLayer.exe	35
PID 2936 wrote to memory of 2148	2936	DesktopLayer.exe	35
PID 2744 wrote to memory of 3028	2744	DesktopLayer.exe	36
PID 2744 wrote to memory of 3028	2744	DesktopLayer.exe	36
PID 2744 wrote to memory of 3028	2744	DesktopLayer.exe	36
PID 2744 wrote to memory of 3028	2744	DesktopLayer.exe	36
PID 3028 wrote to memory of 2632	3028	iexplore.exe	37
PID 3028 wrote to memory of 2632	3028	iexplore.exe	37
PID 3028 wrote to memory of 2632	3028	iexplore.exe	37
PID 3028 wrote to memory of 2632	3028	iexplore.exe	37
PID 2148 wrote to memory of 2968	2148	iexplore.exe	38
PID 2148 wrote to memory of 2968	2148	iexplore.exe	38
PID 2148 wrote to memory of 2968	2148	iexplore.exe	38
PID 2148 wrote to memory of 2968	2148	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2968
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43a3c63da0f6afd88af58edff8399684

SHA1
e93ca6d655fdb76b8fe27043140d27f8bfbd658b

SHA256
a051bb49ddb24e49375bc7a09c5e0572dfc5675714be9b65a7b936694099fe94

SHA512
bf08fdfe21e8ac0917a7cba6e00c5552a975eae3f5f495351e57f9bee83a62373424eb40607471fba737f7f54e08425d9d3cdd657240d875ffb0702feec1bc80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de558e3185f5a9a782164ee6a480cc9e

SHA1
2fa6c5e82432a2addcc57e6f0504b1b226d6c3ec

SHA256
442ed9a7f09392b604946a997243aea3b94d41ea4cea2928659f2f61ef8909d0

SHA512
6f94d45f978324b06916ad6ee94e2b17eab75d9524937dd9b102830515d5bcc2051f0625e4a3c1fec9b86360fd228d71952bee402e2a1374b7ed5422224e5161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff4814dee0bd38b57df7a1182c75253c

SHA1
421a607a40c25175be5d6dca24a9254a6a33b035

SHA256
79a0152452d2bec970759dc48400c8887b501567f4f264c3bd04976835e20fa0

SHA512
bb0d6ed1f38cea5739571ccec39e6336c19f7fc66e5ca64e993990eb658ad35a98ee56112dd600a84f1a9d6595025008ba142ed7a3aa399c09ab8b42c2fcbf2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c81e99fe4d4d6fc2e0f673083152c6e2

SHA1
a7516fc3f61d885fb5303fbe4aafeeedf5d54fe1

SHA256
f434cdf456765713bccd20009c4f1dfea922d06cf25fcc3f20d904d915d9fffc

SHA512
d6033eb1783dfd0f47e0aac9cce551c1b25e280271588b1eec19fe9122b770c18f75b32d7b00013716e4f435d794a19e59b18fdeb7a8d3f915afb1b03b94b80c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
003fd719908c7a1595cfd6e38fbbf705

SHA1
4f634d8356fec5e482478e7d4e4e6e15e506c089

SHA256
b847002ee5fd6d96c074ad4c5d51ed1f484fe9d90438258de550d28ee85ac489

SHA512
f599ea92a9abba16ad58e61a5c5889d402acf14c2e3e8d5af9e6481cc3f015c71a78dc0a0fea84e821237cae3f9bbc0089c3922ab483b9f95003cb92e0f383df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbef4bfe6a3276c570c16238cc98143e

SHA1
f5e1f27b55a2323a110a27b723326d33615cfbcc

SHA256
80505364e5200a111868cd73b627e6a337d4d03f646e6677f81838565c4563e1

SHA512
08f7ec9fc90c596949d7d1e024ec298a9c4a6f6c15191d4391b1a2b2ef925e2da2b1f03f3c9def8b3692ef215e82c5e0cf3962032e458acef2514231ff8bf65c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f250c7c6323cdf6b7200418d96badbe2

SHA1
b0c6d19dacc5ebe46f843c731fb6a65b55f2feae

SHA256
7b19393a296ef1f9db3eca3b53b92aa76c2c1e3c3365462bdcbe06270c13b120

SHA512
9ecf7cd23d040b21890468ac091f1229f97f1153855309cc73f1b436fe3c69a4e2565866a199c9f5c31af86d1540222292f0e06749e9013a6ab7ea39e229f6f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
289bdf56b93ab27b74aabac6162aea6c

SHA1
eb8125009fd7fa0e286ea032e3ab17abe54927cd

SHA256
24d0f68781265e7c587c495d30d86f622b0fa093cf235683bedc8a89ee50f150

SHA512
1155f028eaec9b20e11505c9c67f48d6b5488ca1ce5c50848b5fa1dbb55e9ff544e3930ca2ff981432684052ad12746f5d85abdc256d0921974d5a19ba7672ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0878df06596daf7e487f8f16c83eabf

SHA1
c624d40c03705791915fa884d750f415a77fa07a

SHA256
9ca48af7d86914e24ecbe687ab8dbddf399c7d3f1050b714b3121bc9a50a1db0

SHA512
17f1baa8f415e0a68203b23849e4d96a4c11f767c74206a917c41a574cc02e6cad19a123dd88cba80e350f2c6b75c15fe4268733068e11a70527f0be9587cee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb8b48888b131be8057292458893bd4b

SHA1
17763628fa40741aef7d2c4746253547df198a97

SHA256
b22fd3e6e11498a4c83392bfad2b1ee66a9ee0bfe78b27bd4d01a38472650367

SHA512
0f1eeccc9aecd214773de91a92396b30644200ce3809d7bb63843e7641ed3730f85ee1f7f2c80f08e83362afbc5901e83c80594a9b46245518cd010befe4028f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
720b0d3c7ebd7a7263927d1aa6128690

SHA1
b6bb7fa511ca770f8c21525e7bf41c81b34b8fd3

SHA256
12f56989a8fc92e2171c02246b509048099fa8e7834c36149a043523274b0012

SHA512
b6a5d446067662c93d418b3d640fedba56784794140ec0bb76f9f9d0a84b81da64c4e3765e571ec545ab167469072f89c409a82efb86f9c39ebdf6a089f8c018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d9410e503c68ad979e2029e9202e378

SHA1
676c71aa2a4e5e24b64409207d89129085f481fd

SHA256
fee7a05176ea43ce48b7cd756dda483e2f67f035f743aacd9546ff0dbd5c5262

SHA512
72ecf5d75cf9d8b8d78d2174e34921beec30f75354ecbc4533acad0586b01cbe0a5884d79e67bc936610f99f481af3f4616eee89f34032dcea4ae7f7340ff315

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2643e384e91db24b6c8126cda538dc5

SHA1
425dc7bec8249075cf7052325f32be114c2015bb

SHA256
d223965d4da2f063379b95318d9df005e021cc9492c8221165c12199301b8152

SHA512
f10fba7bb765ce32bffd05296c29502fa8ba45e9ccdf4c3155e16bed7c8b1f37665e67ebfa7f0a9d7ca213388d8b4c3af9de85745b6c09c1a81816915f4fd9de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
359296943947b4b3799cbb0b795bed9f

SHA1
eb6836ef2656ed89260c8b1ae6b65ed74695e2df

SHA256
f070c0ed60a549ba8173f2aee4ebd5e6bef5e45861f9d9dc6e07d3055dc8f67d

SHA512
2e2dce22409b71a7693725f3e32ce961768414902ec97b5245eb728c697910a31bc3b397365d85a4b46c9dbfa46698c9dd3728415937d021b01bd46f47ced232

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0fb75cb8d7bdf8f23c46902dc0da746

SHA1
361376d4019ec9545c7e5dd82f20e3867a2c6346

SHA256
aa47bfa6839afbbe5cecc323a5e32749984c71a335ab78b8f7cdc6f53e24c588

SHA512
1880447ecaeaa40e518eab23522f59ede6ab3825bc23310405dfa13218ba2f4a76cc14dc41498abd0d821c344255a98d4b2da0548385ec21e23ffdbc0bc68d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98b6221aba600ddfaedac0edfec5701e

SHA1
fa2513219c8c8c82485574f6599b04421e9628a2

SHA256
050c5c8dbab8376ad2a51abe8d19459ccaab8a242b61b5843fe69f00f325e793

SHA512
3da8a239e051f647095775532bd26bc81c0b17eed84ab5d20992277d07fe30b7016978e1e42fd974a26fb0495b159eb20b0b66b78e3af4a58e551050cba49175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ae7477a2394ed5aebe3cec80f8f1153

SHA1
156e582e09e1069948369887172169caab203c19

SHA256
9c5ec090e50a2a2413203c5137f1ba0148788264b23218e4b88cad0d8c645374

SHA512
ce2b7974141257fec0a5e73c87ddfad6e5bd9c58f3fbcadf37e9ebb8b162a65466a561680a36120831064106e176195372565afcb66f4343a0f8e3e0d823a774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e068657a19c0961ccf93aeed8e1df98

SHA1
109b15ab26881df3fd6e35d8e5eb4dbf37193a5a

SHA256
ef102dd24f3d60158343bcacc9f99c84e3701d2c39f7d8b0ab4f6bcf1e32acfc

SHA512
eb31bb8e93cc8c6700c4b4d6ebf114f7988075def40c3ebef5949e8bbf82596cc7a5af1ae0f47b0bcddcc3b13426e90e10421328698d8ac47779c50e1beb2361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
104dd6009dce91a718e05546871411c7

SHA1
9f3ed3ec0bab2f948b8ae775b401b52b91221db6

SHA256
15cfe0e6984510c956157a2f94decae62c668a0c9493a9def03b0d91705c1b66

SHA512
9fed7ab782dda15144424da425267ce28113dece810cd2e063a27e9c0c1f67d0d218b2008ffd5406de727c9b0058548a20bef3478de644046952838121966ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c3e759ed6fb59741222ab1c0aa37a4f

SHA1
b6506f299a211bdafdd100b1a36651a7229e764a

SHA256
3d5fb8cb6d4832338917f98827af3f0f43525eb75b06aa64bd62e50bfd8cccff

SHA512
92b7d9c26f6a15b7517ab3e313c4af4ea8975cb7c22a57ca7c8a5533c8775928ab17912a224c5d51321c95a136cd8d1d3114b9d30dd3449e6c166ee6677b4db6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee95c7f2f9d6c271fbfbd5787b401fbf

SHA1
57b334d7a59b3e3013f291d91c57f6cd519814ff

SHA256
e43bf41e45fca0a0eba85af0feda03db14b0d4ae85049fae092bf0b8d8248871

SHA512
b3abdda61daa7adc0310e87a502811a6efeb1135079c8ad3ba20a84d94171edcec57fe63fc949970b62397e502839d3ca1349948236e241e3f41c02811827b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{66EAFEF1-C729-11EF-8D2A-5E7C7FDA70D7}.dat

Filesize
5KB

MD5
3708d6388febdb067e3d8bb6d4a4277c

SHA1
178aff867964755a0060cd7b893dfb6e74432fc8

SHA256
ac75ae7cb8bf01097d6c66eb759583eb2d0c6e1d3523d7e407ac2c9e9ff5dbd2

SHA512
e42ba3823b9ef205a278366d94279582828fe6fc993509fd9059b6ea9e5ab700e36af850cd8fad21ae1e3699aec9d8f4a8149672250a886f2ce68285d1c7730e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFD74.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE42.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe

Filesize
111KB

MD5
309d79d766e9b9025d15adc1aa5ecf52

SHA1
cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

SHA256
3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

SHA512
63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

Download Submit
memory/2340-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-29-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2340-20-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2340-11-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/2884-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2936-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2936-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-1-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2956-4-0x0000000000650000-0x000000000068D000-memory.dmp

Filesize
244KB

Download
memory/2956-36-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download