ramnit | d9161992055c62f8fa8f33de3a6f324715066196fa45252982e633b5be074c45

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe
Size

678KB
MD5

4bc67a36c48346a4060b89de145c1120
SHA1

407284ebf7dcea6c1aa1576b1a34e2462a9179c8
SHA256

d9161992055c62f8fa8f33de3a6f324715066196fa45252982e633b5be074c45
SHA512

c16b43f21340e3f19969ada9a89d3bb8bc04884830d5540e0df2d427cd9d58649cb571d49c46f3d30ffb89751a0cfba410cc1b562c44b417185aeeac29439478
SSDEEP

12288:zyfUVjJQKXxXjjAZkU5UUXiy8Xtd9AsyG5/tAp3fLO6EwgbAMHLXizOYm9:zyU82bU/Xiy8ZFAp3fLODrX

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
2552	DesktopLayer.exe

Loads dropped DLL 6 IoCs

pid	Process
1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe
1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
2552	DesktopLayer.exe
2552	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000015ceb-2.dat	upx
behavioral1/memory/1608-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1608-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2552-24-0x0000000000240000-0x000000000026E000-memory.dmp	upx
behavioral1/memory/2552-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2552-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCF21.tmp	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83DAEC51-C80F-11EF-85C5-7E918DD97D05} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441877311"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2552	DesktopLayer.exe
2552	DesktopLayer.exe
2552	DesktopLayer.exe
2552	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe
1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe
2764	iexplore.exe
2764	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1800 wrote to memory of 1608	1800	JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe	31
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 1608 wrote to memory of 2552	1608	JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe	32
PID 2552 wrote to memory of 2764	2552	DesktopLayer.exe	33
PID 2552 wrote to memory of 2764	2552	DesktopLayer.exe	33
PID 2552 wrote to memory of 2764	2552	DesktopLayer.exe	33
PID 2552 wrote to memory of 2764	2552	DesktopLayer.exe	33
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34
PID 2764 wrote to memory of 2312	2764	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bc67a36c48346a4060b89de145c1120.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8981e8943f19567964b9a566b1324dc9

SHA1
73a21e05723b00e6366855ab5c8487a516059632

SHA256
9ea82eef6968237af50f24e44f085940a205dbad56a6d537e10a6248bdcf7ac6

SHA512
0e4c32b8f694568cb0baf109d1507f1e5f9edd1b341d08302d685fc38110d6d98127cebc3c565747a28b3ca6beab88e16df3a3b4995e6d6814d601671888a560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a94935b20256f5e5480587d99fe924a6

SHA1
09c8806e93a6559a6e4e0232aba291500c023d31

SHA256
93bba590398d057986617434c6d1e28e332015756fb7ebdfc5aa2bb7d30708cd

SHA512
c16ed3c13d48a870c8ee05cf736b58b1eed485b172215edeb669cd6c0655285162d35a52864afd900e49f6ed54d87de07b73e09e31813288e3d4dffecc95325b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfd7cd9472b41cd9792a97095d8e901c

SHA1
56ce8d1875c44fb377eccdcb662e616df50991c0

SHA256
73ab3ffd1d408180c9f80ca74473c66bae3325a2d9ca7ff5e305ba39271d6800

SHA512
9a6d5c690d1c7abbd5d0e94d534dd54a2cc0c15ee896b75c2afb27cb5c7bfec0e6260bf01eb18a356224805d6a4f0a5b9463b0ed941c88cacf7d04ea875bb2d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae9f760cf9e833561188ce801623755b

SHA1
aa0c35e92f3826ff1d43098bf9dd8c4f8040b73b

SHA256
709e86cf042c935eecef3a3ee0e3bd13f74b8078c5727b0768df40ba2f82e4df

SHA512
39f56da5d6054e66a52777a916ad28aa1bfb5f30c674fbb22d4d6436c4a64c0d34cf0c26e231a21fa3a16a61e4a563e175fe4cd5cb4c1776a6e64193251e012f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9e5990d21ec1d2e097ce507abe2d070

SHA1
80617fb6ed54dce41244b38ccc94ba3e6fcbdc7a

SHA256
c7c580dea683787f9a7d1a153fca1eb1a1bed856e151b169122b5e4c44435338

SHA512
2519a1d7cc2eb3a46cab7021c80a8ad060f2bf0b292658c38ac77d3530fd222b22986f5248acfd39d7351e55961451219a25f882fb672bc993d44d5ab868fda3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c406019740405cb3de2a9aa52bfc4e1e

SHA1
02d12a0d18d23fcc67f521d41b1bb20c211e897c

SHA256
67e62648cdf482cb88150dfa84991c323192af23a4975fa2ec1aac1fd307d790

SHA512
6127a18a7b3970b25a5c84f4812f4edbbc3a353e1cd179301f97b4f7032c5230d5792b21e69928f286de3fac508bcf9a7d4fcf4474e6b1858139f6af5889466f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ff4b749456e5de219805e47f2f31a55

SHA1
f852a629255b069182a75ba6f0f972dcadca2ee3

SHA256
85922850263ba4887c7c7903374e8f8195377aa4b0bd8554fe039e5cc66c9505

SHA512
42617bbdee7c64b2a930ce90bfc6676ff725fe5b40299fd42da837dfc311a92c92ba30f34fa27b9df49ad43269995939ebc9f02170fa9595d8df9532368a42a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
696356695bec4c5fae0b20fa3a99740e

SHA1
24b69fcb3b42de31588b98333929257e446db69b

SHA256
8c6ceade0ed0183a3d59094473a60b5459f06d238b4051d333ce8d76c679bf3f

SHA512
f9d9a2a8b76eb5b2b113cb94f027df5f68c6c9aa8182fd00d511cdd59bf448dead03fcc7beec464b19b3b049520965374dee30a05bc90ddfeeb6d63c988b84fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b4c41df68b671cf211293680446cc9

SHA1
fd3b6c3bdefffd42cf9c4338a6c994797da280bb

SHA256
54312c1e7ed9dda07c4779ac79c080767438e92e7b7891ee31d904cf8a9214cd

SHA512
52ccf2523757daa0737e75326ab0caad878794fad56678217984be343ccd7c711c8915622f1abcb4ebfb53cc984910131deaa9e70962bc6785487a8fc54b10a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acf535a0063c405008401228a9b5ca6f

SHA1
cb358ed36b439a445276a68e1e30ed43210cb62c

SHA256
f4c49fbe75ee42f03300de1d25cc85f71b04cf706319401ae75a7e9072ca672f

SHA512
dc633b6072e8726f35fbd442c82d02e28e96ef374988f2a292ad5a1535d1a67f331023e5a759368cec9b8ab32a28ce023e48c731052152934e4cf6348a179002

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
809d194ea1f5b89bc5e243e32b0aa4e5

SHA1
b7977cdd0247d117570df63ed1c22d19c4ee54d0

SHA256
6e05d78853dcc3d479cbef9830110d4a19f10977c06470e23ba8e7d3e187c39e

SHA512
0b2ca130956c2bfde475f9891c11f7b84ff75aaefe971911d715e9cec43f4c50e2a68a69729d8a7a562895c3a7c8b382ae990beb5fcf635f82461a5a09aac911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80f3e1e42e0b6d86ba7c6b93e43fd57c

SHA1
fa24e77c33d663d328a63f7ac464c843c80fc0a9

SHA256
0972e771b6bb25f58c5e990b29e9f0485bcdbf8c60c4bcd4001cec62978994cb

SHA512
fcf807cef32a8ea54fcace0e2ce3cd925ce861b7231dabd6aaf95a98275b4aadf2369f85d44adbc6a3712623d8553401b2ab66eb39ada487ac2c260b5904ba3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c843754988e37d465fe1a6189b745295

SHA1
1de76b75a193a83afe117add147e4e7a8aafc954

SHA256
d19696610c9a4837e46464a78eedc7ddf9641ef45cffc6694455e35e3a21800a

SHA512
13f8514e3f1764e95864319e836f3357e8a1d72ede88f0a5058f52d8d1fc4a3cae57b74ecc43425712524618fd2786e6d8e80a676d2f26550d60d6eb2d992a74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd7a6a982d87dd803aff471e30ecb527

SHA1
34059ba21d06f054a686911e7fd8125e9d7b563f

SHA256
d96ee09c6cf7e947e80c52aa4adf1c484d4823d79c2c4affed812b1e3a26f136

SHA512
71a3124b41ba8dc26046d523c32f6c6a62d325b43f6f8219d9bbe57668364d66c757a9933d300ed9ba5b8d517e0efd3c4ee5e24cf1ea37bbad5f6fd784a68c94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9689bf6afd267d4fc8bfb3adcbb5c3b

SHA1
41efb17a5c0b97604a838689009b7bc4566954b1

SHA256
1ac8f0a667373568c6099c941928200ca930d17ec8153c44a94be6a106bba457

SHA512
2eaded744cec2e9314304ec4335a0573e0824565b50c1555111db9d287c160b2c23fa9fb7d775e6140ab12b44c8342ae5699e2c84fd2529328edbc4ed0ff8a96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d14068fcd910acf63edb05ca714b568

SHA1
dc4eaa72511569d56317141bc419e8486aeb666d

SHA256
96fdfbb0773fc30af1b9b97e61a7a35de8f8a58dfb1f6f293a1785f56ac5ed6d

SHA512
2ee70fd4b1412c5c57f3017ef2ed4af674de65be8062553d656978bb61f96a44b616b8d5e1d7c3640fe7fb1bee900dff755f5f8a322ea8de7a89d8125f0c07b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7a93a01faab8fdbab5b0326234490a4

SHA1
a72a29b8a4f59823ff67764504cc1175e46f67a9

SHA256
af00d55515ef453780f4c1a18be7f886a5e9ad399c3ed42694e4f894c89f933b

SHA512
1d5f0e982d2c1b7224467f2976db71ca5c8c00f8c1cb98a4fe99c6e74d0bda278418584c8d8329ff8fbb0c15a88673dfcb7efc69c30786ff25d441be53856196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53d15138dcf1a5883ad9356b427d745f

SHA1
2fe4657a8711eede0e6d86bcd10c278ba28c78ad

SHA256
74aece2cd85dca1700c4beae11cdaab16852dfb35c7327be7e1a03c7e2c5350a

SHA512
1a15b1bdb817d27999723e69229d16bdca475288b190329db9dbba9064f4c3bab9bc342b9394de6af482e2c9e43cdad7d7c9ade2bb6fbe8d82cc1902fcc8c826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c527928f3ffdf81fccda942c7e595a5

SHA1
42cffdd673d0f9baf75a3eedfb2e9bd6697131ad

SHA256
f8a3db8d19c7e5814cea859306dd10708212ad1c791fd82deb50c47ca6c728e8

SHA512
e9a8fbd78f16b8535f791455dc1b93785792c7e11d81a0bfaec3b2185e0bdc179ccab0cd2befc0ab78ad4888ef1cea46969199777e2d01cb73912980e636ad0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEEC5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEFA2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bc67a36c48346a4060b89de145c1120Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1608-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1608-12-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1608-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1608-13-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/1800-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1800-10-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1800-6-0x00000000002D0000-0x0000000000380000-memory.dmp

Filesize
704KB

Download
memory/1800-30-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1800-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2552-26-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2552-24-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2552-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2552-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download