ramnit | e5486205ffd10d2532b82dfd9323e4617182111283272b4c7bf4c2f9a52efdfc

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
Size

1.0MB
MD5

43f35c2992fefb165aea0eb254fe3230
SHA1

52a20d02f69967839e4f131a3af1a998b7a932b4
SHA256

e5486205ffd10d2532b82dfd9323e4617182111283272b4c7bf4c2f9a52efdfc
SHA512

eee730d27aca14cb50425894d557f937fcd2b4a177533e9287280a5cce9e616b48090b7d51f50597bf3c74c44b14bd417359e08bb30e65a2f48ce0b1a1665756
SSDEEP

24576:j3nmLCzvpI6QhAM7LttrJan8KnseJSG3krYVosgR5RyUsSD8gvE:bm0I6QGM7RMlnse9q3vyUs8LE

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2728	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe
2864	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
2728	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2728-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000c000000012281-6.dat	upx
behavioral1/memory/2728-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2864-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7262.tmp	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3ACB0B21-C7E8-11EF-BD4E-7E1302FB0A39} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441860438"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2864	DesktopLayer.exe
2864	DesktopLayer.exe
2864	DesktopLayer.exe
2864	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
2780	iexplore.exe
2780	iexplore.exe
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2728	2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe	30
PID 2312 wrote to memory of 2728	2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe	30
PID 2312 wrote to memory of 2728	2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe	30
PID 2312 wrote to memory of 2728	2312	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe	30
PID 2728 wrote to memory of 2864	2728	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe	31
PID 2728 wrote to memory of 2864	2728	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe	31
PID 2728 wrote to memory of 2864	2728	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe	31
PID 2728 wrote to memory of 2864	2728	JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe	31
PID 2864 wrote to memory of 2780	2864	DesktopLayer.exe	32
PID 2864 wrote to memory of 2780	2864	DesktopLayer.exe	32
PID 2864 wrote to memory of 2780	2864	DesktopLayer.exe	32
PID 2864 wrote to memory of 2780	2864	DesktopLayer.exe	32
PID 2780 wrote to memory of 3044	2780	iexplore.exe	33
PID 2780 wrote to memory of 3044	2780	iexplore.exe	33
PID 2780 wrote to memory of 3044	2780	iexplore.exe	33
PID 2780 wrote to memory of 3044	2780	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43f35c2992fefb165aea0eb254fe3230.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb7a65be247648c4bd171206701b8335

SHA1
c67c7c62610c8cbda37811843ea619a5cbe2673a

SHA256
232df321e44c7067be39e9a7676a74fd4d75c4108df1f3caeeda8f8f20bba9c7

SHA512
9b39fd8c118bc18222f7345ec5c909f6056f37273e8d87e344f45d989addd0292aca09265318394f4dfe5d522981f973ed20b333b52754d38dcc205bea258630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
276911d488a9c44142c417ae125e163d

SHA1
c3069f23626771d9a3900217d19bc01791298244

SHA256
0b3cb27e92a239e2e8a896e90a32cbac014ad8e0ac2f2b5cf35977f21febf097

SHA512
32c3785d227cacb2397c747a2eae08e2140e149169b7059dde954217de8fda71bf4c2e33a87276770fbc34b9e184568843b003bb7ab1401201a854a26eb5eef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35f1623c46c3195f02b64e3a81c31e4c

SHA1
cd7323b062274d078cd985c0c424619f71b2052d

SHA256
3ae0424c60f8e06ffe170335f509f678388e3f7b4dddf4a9a960c9fe54458b95

SHA512
9b28c2407e5a8544e0a1c98685b9e0ab7b2711dcca26d67adf10ffce1f48e29e431d5ff9ee76dcc7b95df68010ed2b10c6c49c73c3758af2c0fe6971d6488702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a88af931f3626b9437c488f160443ff

SHA1
b4a96190ac682c60029900b79a3cf7b682cc87b1

SHA256
76cf2042316771c79048e9bb5ac1f3f8fedad0ff8e2738b33cbd5d0303a5b74d

SHA512
53520e2cda665f34f5c89858fe4b0685290864edd0b60eecb929979af3cb08e097616d4c9eceb425c9a53f0ec909e4a89d22d26a5a33d79b83c5ea9880a892fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0daef22ae92c59d99b0451f6339cea70

SHA1
0c27b7ba1df8fca563b2ff155162a3d6223e61ce

SHA256
9641aea7fdb78786978080ac3526c848065823929a1b39b77131dc17a56ff729

SHA512
ed2e46f4e72d5abcf9101a0b41b8bcc7b2ff2280df86bb8f9f95dcebb03e09bbbc308961f4fb75666be5a5a75ab68fa94116d24108725c66f5cc9d660b0fd3da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65c64e29eb1db2679f98bd8c2e145264

SHA1
2892d4c5df7aad6851e608612ad57074ee797974

SHA256
895e18f3d326d56326cb09c815be6892552f00f5bdd9aab2c58d5e2381217ccf

SHA512
402e387ff4b222e8df18b89831bf9040e4dd3c021abee6e291955897c49357dd23ff2d249a7c89e8285e1b750ca29e6b40b4a9f5f8f48b0274b09cb3da5ab0c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b6544c7138b0f856cafcf64d0a83eac

SHA1
8b16aa7ef301800a366693fac00657a20ba5de2a

SHA256
7fa0f653846a7fcd3e6599da256ff04a8e1de014c9ee2fbf9d27827455336008

SHA512
471d68ffc1cfce04015822fe561e2b74ce34a003b10148ed1f132bc8eceec6cdc3d957f10b98dc632616716ec2361e4eec28efa242ed6d23ed838dee1773083f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee475aad4fa7a7ef3b9c04823b2a7e7f

SHA1
442f0610fa7f5f9430168f27f4c6de572d15d7fd

SHA256
457584e4493e1040569ecdefc9f06d6d7c05b9f93cf8446c9e28393bf7268ad7

SHA512
5dc44777a9563b653ea17f9cda52e1b35aa876010128dfd42808c241f7187e49d8c9185a5be086978fb9ee2abc87d1c309e5935d040fd851964a61667fbbc57b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbfe193c71c45435c77941fdc27b26fc

SHA1
3085d362752bc73153e9b787871ee5c1da26cf7c

SHA256
cf49d7c2f94606d895ce16bf1fcf587d8192c4aa36295906887cf7769ae91cdd

SHA512
bd77f1899e5622a30914259e44a766797431f01d6862d23a50e5644068aac53c2060cb1be32dac6636df1d96d04d5b48cd0b4bdf8afb65cbbc8a0ee27266d2d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e63bd6ef1e4917208e23d6befb1098a1

SHA1
221e5bec04475d6e02c9c0176c9a7bc6da32c513

SHA256
e17a6bd990a8db29aeb30c38f0ef0c4e56d67cfac91149c2af1d094624084866

SHA512
030926076ca127c6d4a8424b67d23c44d98f279699d152d639f59a98dbeb0faa774d3061e66a5c6fb864825e240deeee585ba20556803859ab746fe287a67349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4715c00a0b7c0949221149911cf6f85d

SHA1
1b63da56ba33c5ef6ead6f2c4f41ffe8f3864660

SHA256
50e9a4fd904d816d586d44e2d728dd5263dc3ef2e2c701b09da3846eb2a662b7

SHA512
9bc036792be7086a07d08c536cbbedd2e1a14999d0e2c6effafe320636075ff7ed994af6d61d9222644c86691270e8dbcde38db5ecdbe1f662da1c2a5af8df05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89227f74e2c9abebbac58ac0170a0c3e

SHA1
678d15e3a9d100390d9f799b2ab041ed70078687

SHA256
3922af0d760cbfcaf96ef582a30c67020e0a3db658dcb0422bdf0a1296d26b41

SHA512
8c583eb476e8858bda471f358d4362a2f43e284d4763daefe7e051f3238f13c9dd4bd2d56c7ead6b2d31a19c71196bb8c6493b382c4662c2325d411aa869ae9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77512e96b493772cf57b6f728fb69f66

SHA1
0d6ee0ae52a64735dc72f4a9e7c0c16b64ebb0ba

SHA256
9c20d8831b961eb38f6f08e407ecb14f175e00208bbcd931b523530e13120d07

SHA512
05a825d9dce9a157be90d297c3ec3fc4d6c2e0682f0504cc355af1f6cd1165b8bd458ef3d055894f7eefda4978844c43608596f9dfa98da8c5eab869360a8b69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0baec8787a4ea7d0917cf52f6e51ddc

SHA1
002fac3932b63084dbf8dadab6c655cdd10f641c

SHA256
6cec86416ee382124defb75c077540ba5fc26251dc94c15cfe8ef8e2067eb534

SHA512
24026236028dd1f5944be96b340ef5e22eafdd4c8ff83c1db9dd07c4378bf222add752fc9a958b39d0cbf217a2f2ae13a65462d8de3932ee62802e6f6c6af249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f19869be8067c601e0d09ecba19a9c2

SHA1
927ea14970267aea6e72621d17dcb50f16cd77f4

SHA256
6d874a043b15542cad4ddd03266a9a7d6ccef326c3d37ae527cbdc5b78f899d5

SHA512
0c6ab5fdbe1d377d096130a9d7c65334ce2f792fa3a170f532431088b5c1d2645154e3e9d6627d07b1fdd8ad82ea98555abe8b15bc7de1afa81135101e079bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b61b16f6800c32222ee524eb0bc808e

SHA1
30a2dfdb639b9911fb944171d6cdbfe349d1f656

SHA256
15f5fc48e523500f3b4a740474f8f3b536fbe2340f35690b2461a0dbffa8c297

SHA512
3b3a609adfff8b6c6475a01b79cbff01f6042ef9f997f2ffeb148fe81d005c839bbf7f68620c69eb46ac457faaf90031a94be2bfcf520608e350b4ff4dedcc66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
744ee441bc4e4d561fe127abfaab61cf

SHA1
b11ab19acd209bf014bde4a7d6acc9056011e0e9

SHA256
41e45781a3a7db8041a70b040539c2e1c4dbb0253e5e838ca62818753d3e4f7d

SHA512
949750464887c6298d7011b9f1b7c0ed3c923c4b6ad06b6fad74e115dbd4df00002dd5e8de0d1fe5a9531d0a34004a6b5f7709467fe51b9e554d05cb621ad06f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
024974be506baa3da92409ef5a831e56

SHA1
b96e8ed0f15acb36717f72773f51098ea59784ca

SHA256
e4a435675bac7b212a3e37a8075c7b042622c2789dd11615c23dade81f9811f7

SHA512
209a2c1d321b496046e9e031493c3f3c0e6b0b76275b9254da4686825f9b3387d42db87f7c852ac525327db6513554d19191bc949a11526013c80b90fc833926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c003ae330b1b33f0af2b0ef14aeef9

SHA1
c010795c8cac7d41706d73902b04970dc7a5ee50

SHA256
cc7fdd2ec562fe6d3b3e00c2c2d7f8ed6e86b4cf54688611801367fa065398b7

SHA512
d1ab0292c505c51ff9ee5ad5281ffd66c77fd8d8a4c0931e7f0b73699c4a776dd8a29f68ff1c77a92503fb8b989859c0eb567dbdbff22fffe039ea518ab58d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab890F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43f35c2992fefb165aea0eb254fe3230Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89EE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2312-1-0x0000000000120000-0x000000000022B000-memory.dmp

Filesize
1.0MB

Download
memory/2312-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2312-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2312-21-0x0000000000120000-0x000000000022B000-memory.dmp

Filesize
1.0MB

Download
memory/2728-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2728-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2728-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2864-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2864-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download