ramnit | 2f6538a8e4209104247eb400e1913982822e2dbf546934a21fa531ef5c6c08ac

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_487ce12278ea8e217e990f136e121090.exe
Size

1.2MB
MD5

487ce12278ea8e217e990f136e121090
SHA1

4e64dab9d4d8304e3ba38eba9ecd4473e65249da
SHA256

2f6538a8e4209104247eb400e1913982822e2dbf546934a21fa531ef5c6c08ac
SHA512

0270c09c4a1ed38f2c8905df336f535aa0b8751972aa642cd3de650cb947a100437777d1c948f786742da584b9cc120c8727fba86e8b9bcf657e7519db6105a5
SSDEEP

24576:jio3EfzEEK7K65oCVi2MeVBkSSTiiq5ttdyrThXv8Dso78:1Y4En3TqtdyrThXEDR

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
848	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe
2292	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	JaffaCakes118_487ce12278ea8e217e990f136e121090.exe
848	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001202c-2.dat	upx
behavioral1/memory/848-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/848-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2292-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2292-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxBCAB.tmp	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_487ce12278ea8e217e990f136e121090.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{82A0C951-C7FF-11EF-9D85-5E63E904F626} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441870437"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2292	DesktopLayer.exe
2292	DesktopLayer.exe
2292	DesktopLayer.exe
2292	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2304	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2304	iexplore.exe
2304	iexplore.exe
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 848	2988	JaffaCakes118_487ce12278ea8e217e990f136e121090.exe	30
PID 2988 wrote to memory of 848	2988	JaffaCakes118_487ce12278ea8e217e990f136e121090.exe	30
PID 2988 wrote to memory of 848	2988	JaffaCakes118_487ce12278ea8e217e990f136e121090.exe	30
PID 2988 wrote to memory of 848	2988	JaffaCakes118_487ce12278ea8e217e990f136e121090.exe	30
PID 848 wrote to memory of 2292	848	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe	31
PID 848 wrote to memory of 2292	848	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe	31
PID 848 wrote to memory of 2292	848	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe	31
PID 848 wrote to memory of 2292	848	JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe	31
PID 2292 wrote to memory of 2304	2292	DesktopLayer.exe	32
PID 2292 wrote to memory of 2304	2292	DesktopLayer.exe	32
PID 2292 wrote to memory of 2304	2292	DesktopLayer.exe	32
PID 2292 wrote to memory of 2304	2292	DesktopLayer.exe	32
PID 2304 wrote to memory of 588	2304	iexplore.exe	33
PID 2304 wrote to memory of 588	2304	iexplore.exe	33
PID 2304 wrote to memory of 588	2304	iexplore.exe	33
PID 2304 wrote to memory of 588	2304	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_487ce12278ea8e217e990f136e121090.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_487ce12278ea8e217e990f136e121090.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac0e5ee4e075dd1302fc99087cbf3feb

SHA1
67615df244da873d9067a27c9e53c925d5ce1fcd

SHA256
3b13611bf78982c2ec1b9d22d7aa70729360e3b33d025fe4381531786797fb13

SHA512
38c1712f8336cb427588e675676e6ec8f08ae9dd931faf99d324915ab9bd61b8949b2ccf75990a5c0ce0114a659842afff2e39b4218c95dfbd3b67226a8be135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
783eac25600da17ef57aeecb61d99e58

SHA1
360a91fb8f49c58301f97e6cac9458359d21e272

SHA256
c5842127b7848d83709214124f814a0c1ff3a202c677a5b739ffcd3873184e2a

SHA512
2be7d040c1da95dd84cf0c1291240957c2c020bc76017baa87c07fb534ebb1bf05c5c84211f054ff5b4357cb60ef5c460899adf4a2e94a7906bb16c575e20b92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dbc8eef311dd4ff900812d8f9a3bf0f

SHA1
a1e0a514dc4b26344448956ff5e5b2f319cf2321

SHA256
6ea21a48d105795b9b18141c3a30a549b23bfea1d044dd33e04721b3236c4043

SHA512
685ce47f3c69be1e71be4be53843dce7b40b7bcf76271140d05552c42b295f1e91adaa4bd001e993a55e48e41218fbfa4785af15a4c95f10347ff8557f03246a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
681d40917d70fe206c0a2226a42e926d

SHA1
1b5893106d6c1379ddee0640490d92a66ba530c2

SHA256
2d3f0aa45fa91445ec5a6e0d9e828f7ad9b1bc287a37c76c1624798ef14cf817

SHA512
ae7f042d1f4b664e91b630050ae26d8631925199e376db070b88ea068526d3d48e143c06dff62d036e33a68ac8ee3f5340a03d04ebccc5ec9ab623adf00966ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a26ba5395712fa1b2ad81bbd3cc13e2

SHA1
47f8a24d4cc3a4bb4273eaac855309cebac539be

SHA256
a81530d0eabf730b431e7fa700c6c4105dd4a3ef80c1b079aa872cee883a4d3c

SHA512
87d2e94edefc11f600b589d5d27d391836d816ddec79610c27892840587f0c097bc50ec837e11202ea059dc2d0059b4a1d65f9028d12d12c24a01205710bddbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34233ac2ac520bfd1635df84568f4339

SHA1
0c3a8aa0280ef8f4f2acb52d3f81964f9b5115ed

SHA256
1713e8693c315a2ed604121abd61fdf71f00ca34d2b5117c393ebdc1dce54af2

SHA512
441dcbb8bea9758f67588ff6b0bca76120d8395111f5b380daec0bad35f98e09336717fe7a6254331c3b94a84bed059967af6b59f946ffbadaa26403d33ecc50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
172d79320839b3a39b1bdb3ea419e296

SHA1
f427e7f8b511ad4d087742661dfa544d6b802bcd

SHA256
8465cad060e3783975c7f9b01c743ffa4f26e2a5999d87034587531fde88773e

SHA512
2c5d23059c04d36f90609a55811fd81ef1347553b234d6e54f3bd63cedbaa71569231331adaa2873f55c30002f121929d9cc1a79bf2f7933d21b5dae778d3634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edc04823b3476e7a07869c03e67f8fa1

SHA1
57c3e9facc91f77b9ea1c9672422fd24e79fba3e

SHA256
b78abef49277a1c157bd34fcd7c4c93102cf3a57b54a838b9c3da19b1eb394e0

SHA512
5f39933cfc12aac9a2566c307b3d84372efb4c79d64f446c3a888b7b32c4f2c43cbf66b0f35611df64f8aab780eb306643b2eac44ceed5587bf754afdab14229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79356eca7cbff8130b6d0889c260e23a

SHA1
f6d237373125dd4b8ec5a5c97b92507a4004aac4

SHA256
9b30c13ee23dc6fd124d7ebfd345dfbe3bab645a8361917da3b87b54416c3631

SHA512
090ff4384a6328042aa209b665ffd527107d4c7e5628c6f829535c429e7d21678c07b1c9a841928e5de2881f22ca883f8a3202514b98ac31bbe98f3c8a9045e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7be81fa6f05c15f7c944d0a26b786d2c

SHA1
88b98b944666d3b2ed17fff7518384f41a7c909f

SHA256
393ebd7f308f9062e2f2f5c0e5af3a2e4a88ae18fa1b2c5faf8c50f8c5abf727

SHA512
c89f562ab111bc41e0a2eb117a7511fdb49d2d8098e7f03508db0b7bf049e789b4fad1c059a1ea66eb5bf72b06d5e4e62209be9be88e5c1f6c61c5c29e6f9551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd25ff5746726280740ec4743be54a4d

SHA1
009fa4313d1ed30ce1dc5646a9ae4c960c1f9578

SHA256
4b68cc13afb3a32f7ad3971e66ed9de681733b974c9282f9a5fe039070220f9a

SHA512
96cc6722a2e3df4fde86c3bb9684103fc7afa4b95fcbdb198927b769b54b874cae80664c65f3918f53e61977d78df95e96ff9534b4570d60ef6f85f518735bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51e1fb3a8add4e1e145df38bbf99c8cd

SHA1
6b77be1fec9fa4b3af0f6f05978251dba03df3e5

SHA256
0ad00402968c6decb11f2341fbdf891a642252530d5526872f143efc19436dc6

SHA512
2a477c89bce4a68abb72a9cfb340fdb1527cf30f226360cfda09e052dbd369816e31e3d52284ef2ae4459d9a40fe0644847a081e7430fa8ca607628f71e02c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05020ed68da3cc57854bb8fa3290a310

SHA1
fe1d419b288bae7b2acc7e73c84890cf9a3246f7

SHA256
75f6c9a8b77e34f4eb21b6b2031f7504d30952b967b442c11e859d150e66e126

SHA512
fc0ba52e1fc884ef9c8506e1e1040e948ee02446c327db65b09e190ef633e7a4f6ff6bb18acdc8110d0d27ea3cd250814e993b2c6977efe190afca91f885a1ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1beb3226ee66042b662319ebeb4c425

SHA1
5dd3f3963bc4c2e8fbd3a3541fb1562b4091189a

SHA256
9b43814d1e7049924f7101c67ddab374dd98e644018c7c0cbb40c360ea954b8f

SHA512
1a084a995b690e428517221f71a0a6d0d158100ce9d7b291d4a466e0fa0f5e6659926cd08c5de7d8077d70051f734d6227c6d2fce7c76b2452d54b69a8131d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d4fc903364ec96e2075ee6e882bf65

SHA1
672b63601bc3be39b00b5101a7702b42da11e7af

SHA256
d0a8f59f99348526f2943c41f57c8c8652100bddd5c53f74bf387b8dde1f4cda

SHA512
e42d3f042dd5f2d0d61893b1576df4c94adc0e93e0bd9d898414b677c3d479dcd28a2e088fee315fc34b888d8ae0da7f364e6c245a5bd4975364b3a8444d2b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
765289f4c642b1a9307af9752d2ee798

SHA1
be118304802dc6eb6dc49c07eca04f47b9453d9d

SHA256
63ff589c260b52ebe3b67ec25d514cdb57e394054903fe2721f67fd841111272

SHA512
fb3168bce70cf0b7621b1af401c7d682421455664b3809cba3a05d177125f41c37e6a767f3244e221561340d1b59c5f67d4912fb7ed86006d54fa6f98fa8d032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf9e46fb290d0d6bdaa1fa0fd06cc0d6

SHA1
f39fa8882de60e96bd96b4cc6df44aeca395d83b

SHA256
aca7adf2995091443a034ea4d99fcf447d9ff381a6d1c096f888517490927d77

SHA512
dbc3ed979bc3106925c68891b6b76dbfdc8ef91222f43a6f9d6755116faa09d3266088b5e13de50d030fbf2c9aeea103b6da5317a5eaf4a6b860fbd68494bd56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a744c567c61b2af529d8dfe92df17c90

SHA1
de0040cd579b8cd01e5e2b08604f60529c6a1d93

SHA256
396063fa2af28d62c4fb394a390d13227f0214570bd6f2f477757718d4308648

SHA512
2d0c5a02cfa23c00e9f9403f430b7b0832d3e48d58b04db54d604987f2210ff84298e718f228e7fef6c8426ae96cc27185c3ed3156ad36bf35ebcb55e0d7f1f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f13b33bd9d2ce7d08645cd3a7e9354f9

SHA1
22d8a2ce871195e306c6ef72511615f7369af283

SHA256
3ce216b0b0082c5edd488b72e7be8c68c530a1164e3ca76dfc0dea71e9fb82ce

SHA512
5b82a1a2aae19aeebd87e96424d57a02beb7c3d1d62708bbb7f494d012953351d7df98d4d278c0f0b8f72724d323be0c8e609e82fc610c0b41c36677fe809416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
321a4ecd711c62d132a99f225878ecde

SHA1
81053e59d4008bd53d6b12626d879914253277b3

SHA256
27c7ee1f65f454bb54009a89b8d0a7b8c4184802354f367c72f6725187de4821

SHA512
ffb0f6d42a7428697257ffcd4c24580c3c8c82babd30652d178e120f9908efc1056d19efafefebfb4d54fe251cc8676e4ed0ec25ca9cbeb5b75e8fd6d70d53aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b80ebbb45a9598689848c82edd7a2df8

SHA1
ebc7d834a822121c9e026fd9fe24d97d72598376

SHA256
0c3ddedbd902538c1592e58db03c5cfe3fbafe1f678cb423af6b7ae085230395

SHA512
9cfe7e65490eb7a782d38cd87aa2280f6d2fd7d4343510a6670dfb3e76bfc05220ae160559ac892cd47725e41e2d855199a350e2d3d782243ac72fd63c3df154

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD67.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE35.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_487ce12278ea8e217e990f136e121090Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/848-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/848-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/848-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2292-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2292-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2292-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2988-0-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2988-4-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2988-17-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download