ramnit | 81fb3d7407c2748969ca07dbaccf9fbb67c808a4e63b9b890ef0e85e78b81d8f

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe
Size

129KB
MD5

4c483b142b4e92f0b8cce83145e71f10
SHA1

03d4ef761d9ab8a7ef4a61f3fac76ba42b905904
SHA256

81fb3d7407c2748969ca07dbaccf9fbb67c808a4e63b9b890ef0e85e78b81d8f
SHA512

ff5d10d60b3348225936b83983f06d135b834dcff88711dbeb1a313e96eb71877e995aa93600b61e6fdae48f2fc8339c52464209b4c0eced0b4677f6ca29d5c0
SSDEEP

3072:HJBGKgiWncy+o1z1Asbyf5yTh6s3JbrFlIvmK0WL+V0tDCa:pBGxiWnoo1z+saATh6EJXLIvZSV09Ca

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
1248	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
2592	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe
2592	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe
3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3008-11-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/3008-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1248-27-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1248-31-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxD568.tmp	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0BD2D621-C812-11EF-A045-62CAC36041A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441878398"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1248	DesktopLayer.exe
1248	DesktopLayer.exe
1248	DesktopLayer.exe
1248	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2620	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2620	iexplore.exe
2620	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
1248	DesktopLayer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 3008	2592	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe	31
PID 2592 wrote to memory of 3008	2592	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe	31
PID 2592 wrote to memory of 3008	2592	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe	31
PID 2592 wrote to memory of 3008	2592	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe	31
PID 3008 wrote to memory of 1248	3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe	32
PID 3008 wrote to memory of 1248	3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe	32
PID 3008 wrote to memory of 1248	3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe	32
PID 3008 wrote to memory of 1248	3008	JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe	32
PID 1248 wrote to memory of 2620	1248	DesktopLayer.exe	33
PID 1248 wrote to memory of 2620	1248	DesktopLayer.exe	33
PID 1248 wrote to memory of 2620	1248	DesktopLayer.exe	33
PID 1248 wrote to memory of 2620	1248	DesktopLayer.exe	33
PID 2620 wrote to memory of 2812	2620	iexplore.exe	34
PID 2620 wrote to memory of 2812	2620	iexplore.exe	34
PID 2620 wrote to memory of 2812	2620	iexplore.exe	34
PID 2620 wrote to memory of 2812	2620	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fba93fa96d87bc5f69b6094913336e8

SHA1
93a6af180a5ce39ab0ac4cc40cdd8d40d444d26b

SHA256
2e1bc2fc3e353da216276268aca8e6ffaf615f702b59dafd8b1efeb0844360c6

SHA512
319134604e395feb5340c368625e8c41c3499d6a994398c8012424436b0904e1801b41bfa8c0fa90ca2c73df7ec42da7a4b0ba82515b4494fd70c8d3cb37f559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e80181b9e5367710db8bba44ebe1d1e5

SHA1
e9f71ab9077d34a2250534af6584836b790421e6

SHA256
b37bf7580533e03b30cc848ed3ec3ccb90da3c52a23aaaf072b3943a9d077a9a

SHA512
b01e337d4749444ec73b0c62c4a6214fdeeee5ecdb646e2b140cdf315260a6d6883cac612e1bb45646fdd8ac0ee5ea6b38f0f525696857e9245b51a5fb43ddc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef5f47b869f61bbcd75ded1381d593c8

SHA1
3ab764dc9fcee95a083eeba92d5783c1d7fe140f

SHA256
27fadd58f0a874e74bf1daa9cfdda2b747a17a4a6a75537f5d9a0ce934d491fa

SHA512
796854db51be307696f0b6b15d0f3f99529d1af9c39cb641f62c50d1f39c76ef6fa9d5fbbd740c1e78c307064c67fd8c1fbc5a86d74245bc19e0b23b2490beb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
553a6b65699b9cd8934bc78245aed377

SHA1
61392f5d16e3b85270006b2c77784de66db36c93

SHA256
466324aaf9a909877c740a80aa1255fa1cb1f148a1a78b1fd1bc9e8c426eb26a

SHA512
e7817e7345482a1f8d113f7105310cecb302471e9d1fc00c3b4e16022c8f4632f9b78d45f2afe29b65fc8f878378d535be73112e4ec4894d0b997bb8722267a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90990ea0786460fe8669e326e3da029e

SHA1
60aa5e40e5a82676282d75daf214ab42c6a10d5e

SHA256
f3d1171e5d2ef8116760ea940e59e133036fc1634a57ff2179e33023166f7f5f

SHA512
69b06fa3322326c19b9b2041a0540db93c2f9f52a5135c81be5deee7f3865d6155f6e014e048ab67fcba73cf31337f3be6ae60ea3c445f5fa5a6fc6a163980d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46b24e19c358c36b460fa699ffec7901

SHA1
cd3316470b6f6e90d461e0fd237d6573da62d1b4

SHA256
71c6a431671d4d97a3430b0f323343b5da989e34044a3e9cf8c38a7c40e6afdd

SHA512
120d630f39e443b56a91df44ae2ae422a91556726198840f9fc3e5e8525787f293a213d8594ff103086f4d30a277d85a58de356ed2071917e85cd306afad2e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1622eef71594ebcc661310b491e52b29

SHA1
a7a6e3e7a8791f87a4c52a1dd4967273c378d37f

SHA256
280748794a5b406a4642f64e14211698ca3a1839ed89b99c6fa6aadd967d3b0c

SHA512
8230583ac55586f56a6c2a7073ad2ef17798ce346b0dc96390687a1af74b8ad2f61837278742896b060bba45570b5ff2d49ccd45b74d324bd984059723189410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cddc0828c36a3a20353756b895c51ea

SHA1
175e7aff7069d2f83e89c8fe36083f43c2c57f78

SHA256
cc821015b72c707384857fd926f51a13e46a0ced6a08e1b0a9a1cf11b858c9ec

SHA512
de8c0ca6a882f7671551056dd6c23b9e962d2a976d0b6dbd098c7213838649ea2f0f4f7088b906def58a65401bc5dd749f64e05dc7cc68be16c75056c14d859b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33f43f73f26e908637ee810d9d962f61

SHA1
e7e1ecf3d84d7e202eed0cfdc2af45bb15aeebeb

SHA256
0667a86911e51e7eeda36f08684e260254cda69c406f9a303561e9d4dacb32bc

SHA512
5840d59fc994d9d23b6a34ef8d2044cb9342fc1edd471de6331974dee750287200b3ce1afb25770f6b84504ea3db7e83b8baeda3e1c43257f0f1421bc8d41b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab20f33a776bd4577f9d8bb6f93a2041

SHA1
d88a8754e77ba703798d5bc6fca9e65438b5ceee

SHA256
6fcbd0bc191fcc76b8315f19dfead89cd0a672a0696adcb120f388fc9a1c9442

SHA512
7b527190add25e61e6509f97c61ca1dc0ca8fdb5a640848a476322d23ffaf773a6e186c20fe765affcb0443fe7dfe87c51c9c47dcdd6800ec2843c0221543dce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f89b003a72dd3c24b01162ab8b6b4cd

SHA1
3bccdad22f02f78c05b89d6cd4f36b0d94321f4d

SHA256
aa87838458706850fb96b7e6e0043aa320d75579f680071706571d8e4bdf5afc

SHA512
fac06afe390b5f4d7f1572f4336e156e5867c0abc20939b3fce5af04b0811211dfb71d6414c715bb42dcd358615ccc87c08fbf0f4c23d39bde8833c5eaa118a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af8f6a70599c2f853207374be43ec9e4

SHA1
4587427d3dfc8131700fe6de298e9a028aadd875

SHA256
b5025f9711cc33ab5505d0295869d22b91f94a9472c61f9a074f20c9154ead94

SHA512
8eb35de12436af834ec0d7dd643cafeb00c1c273d23cc72d03b8e59c84a6da4265d054f97f689a0f11fafac1af898a9f97704be640c1a98c7f5d1875924f5db6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97374b0bdbbe0329e62b0d387aaa8c68

SHA1
6b24ec3bcfec0c21a24376e3ea259ec92e08be52

SHA256
16ad52e71eb029a08bef65448063d72ee329b94a0463852299e5c7a0da848464

SHA512
b159bf26f8630771c7d2446b9c6cb058219cf334a2fa973295ee7743bbceb9c8d99fd97e6249f18269d2f80afae401e937f48d64440949d39ad5e67430b6ab45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1ee1fc86d40f028c62cfeb3b3d4d51a

SHA1
34e71d8295712017c36a483d0589ccae888bffbe

SHA256
797a8dd7881bd09d7741973b8dd0700e11837ca671089150224084de5091ee0e

SHA512
82ca3a0e53ff5519d0cb6e7392789cc62efa70f1832ec093c8b76db2942e872bdc7dd284f4a61be70ea62d86d25d9a7b2961cd83d8a2152155461ff272698b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abc57470f9a62f70382a12663ac45ced

SHA1
89c7b98025ad18d45b2933d9ed46d6552c2bd6c9

SHA256
fbffee23c1d686809455d09bc5317b5e8a76e53ebab6e62e7710e9291f26a2a3

SHA512
ed50b71a5434570efff026fad825dfef4eaaf85c7eb3b2e85dd445e9c6eb98545ce9b7e6b6be45e2d87433bfc7c5f6e474578c69a9bdd0e255d29be8acef859a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5abed79810a67a6c784d2be0be9696c

SHA1
ea1f51e02a493d19cd0911db5ea04902a1f89b8e

SHA256
fc12e76e5340a951e084370eadba6632609102a0a5a43b3031ba04ef9a99b0b5

SHA512
b699ffd10b49eddab3d2409b21ab1f5cd5964b8b899659091b229ae306291a3d06825668bef2e87bb20048a4c7e60ac876644339c97ed2ae65d4c0ecae0dbe08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c23145d01af71dc64b1a073f1f7203e

SHA1
e6dc347359367235f28f43d8a9337ad08d98103f

SHA256
5a6e2fe3caf43a12f0111bd6c0026f11f4b6e181996f3645ad155021829df8e8

SHA512
1819b25b4b6f038de46870cf70d54abd8d181afe5c244fd650bf9eccdd2278cfb1831927589973452d6fa3c64ae631bfd5bce029252ef583cc53bb6c13e98d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a6472da5acf93a0bb8cbaac9b65c98c

SHA1
61a94ef4c2978d8060359c837555790ca5d4bc2b

SHA256
f8dd5a08f7c107020ff9a791f5dab82646f3a17f663a0bed126cf1fb22c304f0

SHA512
5c0286cab81ffba832c1f0f3dd51b2887448197ea220dc4c9b127e48c985b7e5c16d5adb690c51916b0a5d04281f55c9ad1d9bebd46218a145d9d9c870a0c946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44cd48e1cfe16d9951128e8df094558d

SHA1
d63ce14ede0b1efad6d76e52ea17bfc41f6911f8

SHA256
992e4a045763c41953b50b6fb2c560aa2088ca2e88bfe9af92406114d1b56d46

SHA512
6d80072e17f7eebbc203ce85ab36f597af6b014ab372d54f9c895b274a80cf0d2df1655ffde28c9a8efba5243ab55fd35b8cc616612fa93587c30f1cf9884f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF55D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_4c483b142b4e92f0b8cce83145e71f10Srv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
memory/1248-29-0x000000007732F000-0x0000000077330000-memory.dmp

Filesize
4KB

Download
memory/1248-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1248-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1248-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-3-0x00000000000F0000-0x0000000000103000-memory.dmp

Filesize
76KB

Download
memory/2592-0-0x0000000000300000-0x0000000000326000-memory.dmp

Filesize
152KB

Download
memory/2592-9-0x00000000000F0000-0x0000000000103000-memory.dmp

Filesize
76KB

Download
memory/2592-16-0x0000000000300000-0x0000000000326000-memory.dmp

Filesize
152KB

Download
memory/3008-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3008-13-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/3008-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download