ramnit | fef4bd80ff48368dc8244e22f4c561a46dc484e5841178b674d58a6b3ddb54ec

Analysis

max time kernel
136s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe
Size

544KB
MD5

4552e1e6a2a8fbd737699805fc4920a0
SHA1

81e19a122790dfb7d042d316ab5cdbbc7b0a13f0
SHA256

fef4bd80ff48368dc8244e22f4c561a46dc484e5841178b674d58a6b3ddb54ec
SHA512

7ba323b9bb903eacaf312abbb2956203ea42d4020dd6f7ca6d63b2bffe874bf4c25f5cd386d105c09e5211f3e660ecfdb6d2bffb0f7cb2145563bbda1f971d29
SSDEEP

12288:r8zo7CIXN/HRcM+2CGvpAwsnXOQo7um9G:r8zexHRcMbCGvq7OQoqm

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2876	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe
2920	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe
2876	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Express = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe"	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2892-4-0x0000000000230000-0x000000000025E000-memory.dmp	upx
behavioral1/files/0x000d000000012263-2.dat	upx
behavioral1/memory/2876-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2876-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2920-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2920-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2920-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2920-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5BE6.tmp	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441863538"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7150E9B1-C7EF-11EF-8B1E-52DE62627832} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe
2920	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe
2700	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe
2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe
2700	iexplore.exe
2700	iexplore.exe
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2876	2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe	30
PID 2892 wrote to memory of 2876	2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe	30
PID 2892 wrote to memory of 2876	2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe	30
PID 2892 wrote to memory of 2876	2892	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe	30
PID 2876 wrote to memory of 2920	2876	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe	31
PID 2876 wrote to memory of 2920	2876	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe	31
PID 2876 wrote to memory of 2920	2876	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe	31
PID 2876 wrote to memory of 2920	2876	JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe	31
PID 2920 wrote to memory of 2700	2920	DesktopLayer.exe	32
PID 2920 wrote to memory of 2700	2920	DesktopLayer.exe	32
PID 2920 wrote to memory of 2700	2920	DesktopLayer.exe	32
PID 2920 wrote to memory of 2700	2920	DesktopLayer.exe	32
PID 2700 wrote to memory of 2656	2700	iexplore.exe	33
PID 2700 wrote to memory of 2656	2700	iexplore.exe	33
PID 2700 wrote to memory of 2656	2700	iexplore.exe	33
PID 2700 wrote to memory of 2656	2700	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1db4127f301407b60a1d8c426521ed3

SHA1
5ea2fefa6dd9759a6b4a7e00b1c993071642f7bc

SHA256
ecf0ba8d1b7e21a638af8442594de2545c3997359074c9fa4de4a02e847a3dd1

SHA512
48d5bc4073c5df5b5d4b294a89f7d4de04c415b52ad2c04ddfbaa673ee273f2419f8a4e3bacd7be77eb14067c51159de015a2afcd3ac7eb0418b1cb2c0d066ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09176b17f6c734490cdeca8a31e7e530

SHA1
baa34b7f208bd9d7127b1aaccf7eacbecf5c24bb

SHA256
25f5f335c3ac3d9986f58ca2860ab80ab2499712a330b6cbe0133b0c98fedbc9

SHA512
8cfa8f133f0a1e59fb0e0bd9260e33b47a0c65a2047b0f31b4b89c7989098dc5eb58782bbda47c589458cba298ff5d461d7aa967c61993a295a8dc94b764068a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdb961a011ee0508a717912dd02c64d2

SHA1
d55e3f7f62f5fd7ec3bcbc89250713cb8a8c5a6f

SHA256
5453b73394e9acf8834b43441103d6413084113ddebf43f9c5c9d6aeb8a3971a

SHA512
33ffc3026fe3a9c683dd6ab76497ec3c628862fb67ce56b734011b7741990a96e9d490be831276d6029defc9c21ba2020eeab062cd8a38ad7b5a6e0808c99467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19785128617f782fac99ee09684d9b8e

SHA1
134a593aab5a3e8b602622155ec36e6ba270cc19

SHA256
24913ad61c201e6643f4a225ac562ace8b396ac5164a03e8764bac687b1f7772

SHA512
2f9db4c1c564bbc280a8b26438cd8fad7517d693866b0e7a0d18c7910cbe88dc1cec3c6c2728fec1fa57038bae4b03f84f13a094ea1bcd981f072ec663c7582c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
881ade7403440aff0adea828aab4dbf3

SHA1
cd5b5862eeeccfd54a4861dc1eb197d197d62150

SHA256
d4df8691c978b607b2584e28c5be9cf7ef9b7aa83b500120ea08f98c7d4e72d0

SHA512
e72a5c76adde69f5c23ec00d54a69fdc3e83635264f9fe875af6819e2a5c00dfe0ddb2fcbe409db1ef0da1c28efa6f0318c7f0c719ae480b738513ab34e84a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16f94d53135a1107a66031af117accde

SHA1
5b7b96222fa81efbcc49a2d0574642507d2f5928

SHA256
ea7d8dd708037ef2ace686b827e1235370443893dba625d32398ee43dee8b3f7

SHA512
3aab8609cfa0025396646d1c2401ea173299a448617434587fa82650ebda5443cc740c0aa9cf8714daca89f15f9e38118f219ae866e504de56cd44baa0c3ef14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f4c9adfd3bcfd423582ca70f8874ed8

SHA1
b45f34d004858d5a9f6170870d99cf69687e22ec

SHA256
df6ddd68b3792011f06ab96650ec036bf2cda56c38a393d5fc820d532da8c9f7

SHA512
0bf0ca9859b51d5ade1e13b7bfc3039eb3028d6d24eeca3be7949426dd4428fb6b976be78ba12e62caa7f8ee716ce0e125e4d176cf7f2fb67be2068351146742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdbde86778b952fd2682280e26c2bc7f

SHA1
7c54fe104c225b908d5d9be25c720f0ae7b86cd5

SHA256
fedb056131bd46652197e7e2d342f4cda2d0c526fa9f28d08bb499fbb1063f54

SHA512
998bdeebd70c4b260bd7e53936f51425c288d46682dc61a871b08308b35d69d7402710f36894d0d5f6caeca8b273c425cb173e18c82c9fb59cb1dad0447a5cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1aadfab9f5feeeaec1df04c88552b60c

SHA1
d1cb89390991fd3e32fd30e2345f59005ed3e942

SHA256
598a970f20cd7893562c265af0d8a35095deea1388483e9f3ed47354c1819048

SHA512
85b3bd0664e3ac5d2b9ab6c47a7c9209ce8fd437be2baba435f2f63175fef927c45215939669bea06024b47dcf4ec7fbce4bc63399ac87f2bc308399c916839b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d39ca44042d0d46b1f0565472e21979f

SHA1
aa019761a4f8b9be0f9778795dff7862871f84ba

SHA256
d6d5d23cd1522e6a73c4aab792ed04efb1088ce27889fb8e5216e7b4e0a03258

SHA512
8383bbd4e400003077913f011c4210b92ed13293c662966dc20891a2d7aa54f1a7582decef4cffe615049799528efdcae24fa7cb07011b532fc7ab8491d026b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69cad8be6aa9e1a56aa6520a97c6ccc4

SHA1
59850ed7bee5d579aeac56c4125fe90c95e60616

SHA256
44c7c00191a1480a5d4452008d7736ab0f18ad64546f70e8369d0f101fa46e5c

SHA512
a727591602f0e478cd4f00c521561bc38288f3222ed2c6f76de7c4e657743da60ea043b4e16fed1e36e49a43e6332f6047d930c0121be4ad4d07aa818ae02c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d49a0dc94364c249dec8133060531138

SHA1
70f7e36776d44f257ec89a8cb81669211d3b1224

SHA256
ef19708e9ecd0452695bb246d23b3df4ed9db7e178be05265506230aeade452d

SHA512
9264f1e188850b462364bcf9932a8d3ea35dbafd326717d4280346a553c99863f36e7ece8127a367fe1b53a99f4711bd0e10e027afae6817738e3127b88ee72a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58909de3ea172fe8d748d5b9ce87f11c

SHA1
a0a0666bedc63f2fb021997d2d989671eab94bb1

SHA256
6b6df04f068c059b5fb02b8efa739ed60b44a132d93fa8e5497713ab582fbd9b

SHA512
8f54e3577e7d9cf2633627b25d1ddb2b7bd61788ee82de198fc3421cfb7455756c7712d0f030bc0c7b4911afe7c70e98e325ebfb2d96d8eb928199174ceec72b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72a246b61ee165b53e7a8739fbb3e4a5

SHA1
fd38ee3e419f958ba94f6107822442236b9b0c14

SHA256
a0dd198c3ced94fca1eee27c31dd148866b648e0cbf37526910a1ec05e24a756

SHA512
6f48523fa62a163dfa208437d7ddcf12b3d99081c057f3ff5456b84c9ba560b03fffe5e628cef4bb38f1da895f4d4659ab2414b112cd417d9f9074bde7f40eb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de6ea0e8617512defb7592e33b0c930e

SHA1
3c0d09ffa303e6d08e24e2593168d2f5e17ff577

SHA256
a6e4164e7590ccfbd650d3ffa1abaa0929ba2a844c4f44eb119d8d955eb5e955

SHA512
291592bef85bbafcdb3aea51b3279f28ba8aa8b989a3a97f1b9d66a79bd5a8aa64546fa2ec5407b22324af8f0967fd77efa35f3777300d91e556d20713062ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fa59e5046ec31e2042dbdf69c050259

SHA1
769ca0c3374fa0b68f778d5d7777051a6893da0f

SHA256
8f382c4a750550e99b9a9ea3006165c78e3a433648dc21adb3c6f786fa5441aa

SHA512
4eb5f4495a926e1734721c8458170e2bd738cfd9f71dec5d40b66092e28f9168f43af45225b2b58288464df2104633587e405c6d4f4dd710b42bcedd59fe9ea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b421c5e6c2889c5af09e197e942d8588

SHA1
81ce3fc17e8006e662793998a33e4c709e7af31f

SHA256
13a88b09c523a9c128b03465986eaeb9602405bc1c875197a38a512f4ffd7d66

SHA512
c4c23a60230999c8e15bc16fc36039085f2b97d4ed59d81d577e40dcab40c329e95827bd69043c7cc6b32f4a07f487b73ce5d71b0140cd890005a2b7d10667f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c729fd1aba1844e2abeb4e73fb0a166

SHA1
706379df57b98c744120a8d1f2f72bf84dc4d769

SHA256
d205f01268c0abcd5d9d4324bb997755a943f6c929ef9b4901fd0d4013aa8d8e

SHA512
5b162713e11c3dc83aca1a681085d1a7216f7a86d20485adffe8366e76fa7d67ff184c3a48bcd30e9312ed56336ede006742e5ac1f296fae725c31f5cfdc12c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab74E4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar75A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_4552e1e6a2a8fbd737699805fc4920a0Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2876-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2876-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2876-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2892-4-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2892-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2892-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2920-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2920-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2920-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download