ramnit | 7fc98dfdf5c7974894d79a519d4102ff3c981140e90ddfd8fb1acc5a6b6003fe

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4e837d74d78fffccba662969c3819260.exe
Size

116KB
MD5

4e837d74d78fffccba662969c3819260
SHA1

cfb30aa1f165dac6aefc6afd9ec3ad6217cbf422
SHA256

7fc98dfdf5c7974894d79a519d4102ff3c981140e90ddfd8fb1acc5a6b6003fe
SHA512

7946c5e6b913b3ee232ceb99b66a84b17f2731dfc4b5e6b207e47fd29581df98d9d5a1541379be34e52fdad3dbed05886feb8848d2a9f7d3f0c80fd1c3bb00ce
SSDEEP

3072:n0/Ypo9m7gqbLhPPRxxmvfzTjEku2ZHfQuu:0W7gqbVPKfIX2Z

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2340	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe
2504	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe
2340	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000b00000001225e-1.dat	upx
behavioral1/memory/2340-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2504-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2504-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2504-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px601A.tmp	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaffacakes118_4e837d74d78fffccba662969c3819260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F0EC211-C81C-11EF-9DBD-525C7857EE89} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441882778"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2504	DesktopLayer.exe
2504	DesktopLayer.exe
2504	DesktopLayer.exe
2504	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	iexplore.exe
2816	iexplore.exe
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2340	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	30
PID 1940 wrote to memory of 2340	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	30
PID 1940 wrote to memory of 2340	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	30
PID 1940 wrote to memory of 2340	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	30
PID 1940 wrote to memory of 2452	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	31
PID 1940 wrote to memory of 2452	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	31
PID 1940 wrote to memory of 2452	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	31
PID 1940 wrote to memory of 2452	1940	JaffaCakes118_4e837d74d78fffccba662969c3819260.exe	31
PID 2340 wrote to memory of 2504	2340	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe	32
PID 2340 wrote to memory of 2504	2340	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe	32
PID 2340 wrote to memory of 2504	2340	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe	32
PID 2340 wrote to memory of 2504	2340	JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe	32
PID 2504 wrote to memory of 2816	2504	DesktopLayer.exe	33
PID 2504 wrote to memory of 2816	2504	DesktopLayer.exe	33
PID 2504 wrote to memory of 2816	2504	DesktopLayer.exe	33
PID 2504 wrote to memory of 2816	2504	DesktopLayer.exe	33
PID 2816 wrote to memory of 2044	2816	iexplore.exe	34
PID 2816 wrote to memory of 2044	2816	iexplore.exe	34
PID 2816 wrote to memory of 2044	2816	iexplore.exe	34
PID 2816 wrote to memory of 2044	2816	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e837d74d78fffccba662969c3819260.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e837d74d78fffccba662969c3819260.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2044
- \??\c:\users\admin\appdata\local\temp\jaffacakes118_4e837d74d78fffccba662969c3819260.exe
  "c:\users\admin\appdata\local\temp\jaffacakes118_4e837d74d78fffccba662969c3819260.exe"worldedit.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e4a03d6c37caf2bca3c2a5fed999c97

SHA1
852cf398dca706b3b422599c36a9c2c04e21189d

SHA256
58acf9406b1de9308cc509d6e740d1f98fb7fc8a4a1025b8f621d0102ae77bd8

SHA512
0d7f3c6d55b110995198c667cecb6b87d286c7b5244b39bd9614f24529d59d91224add4c094f3d203e860e54e4aedabc8bb38658aa553bc7e605a9d3e1fe0fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6a7d95f5f823175f8eabcfcf3612dd3

SHA1
847444f7ab33c4c0d675695d9780af052f15554a

SHA256
da8c68cc263e332273ff2a1ce53066120438762f57ae75fe38c1dfe6ba995bb6

SHA512
66a8388e8b6c2f77627e6e0d5c6ca8c57fb6a73ce037164e403cd90bb05d15f9f36f2193ec902127d2bb3c4f3d48d7e0d17c0cfe9c8a0f73896c5fd1c242ea27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4233401c70399c845b4c55a50e756490

SHA1
c2ea573313259bfcd16080c927427ae5e58c0e29

SHA256
dec675354ff828756a9600814e0935e39d7dfa615b4a64c99fd16f95e3ebc46a

SHA512
bf79b0a3af9e66200a34cd5313f0c0eeb9e71cf8fd11533cf9c53c3ccd6ac954d4480496d6941f1177d504071af22987f8e3b158c83ae5e2d98ca073342c4329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8a64bef926d7b14cd6893fe166fe01b

SHA1
d56b1838ccfb1265ad3ab52f3a21e9d738d6da9a

SHA256
820265bcc781229819f615cb10e58e619ce8bf775cb0c066265a676f62ffb686

SHA512
d918bf84ee9e64e807a041e984e2ebeca33d13df83aedc332b454a5387ad5b6862ea3e44b072df1a766aa1ef80fbbf2b916183f7e4015c6f14a2399a52094899

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fb4de885c8de1199ee18833ba7e366d

SHA1
d63556864c93563840491790e3d5afe383e5bcdd

SHA256
453963a1666a1f3c2d4ca24ea17ebd6aa2241dbead0c7fa5b3d3b835e9f758fb

SHA512
f0ceb5eb3e6e7ff08b29f87efade3e1c0da7d20c064655a328107cf6141a11cf43885b55f7a2f96e9234e130650e0b45a03fb4acf89fc3bd4281fcd4c4e2ce01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1175aaf293e8b2479e16e6e440006ec9

SHA1
e8c92cc5a4a93b225c25ccd0414592881b996739

SHA256
053765eb3d3e32bf212fb3e94e73281603045b22a71ea13100d5c4e910c7ebdb

SHA512
ee565cf9da72272ca35f516bb93b94dc07f0a00d485c6ec4a13e5036779b0b2db0796b8abb996e022d6439fe32cd64b97075ab79e38f641c67b2779e05c0e253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
453d167080757d16ec6b22fba4da38ab

SHA1
ef5f6afd9cc34ac8f212a3bc9711e55b052b4008

SHA256
8f8b8a4b76986eb736d478771e3a33618123cd4768c6ae4708ad04b6a3779ee6

SHA512
16ca3910243470e607a2acbf73f6cd75b2bc5a28c291e0073897208c0f3e0297f2140ec2af43b2fbf0f323bf313e4d576b2ccb55b4a878aca4df0e6cbe75ea2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1af5830b9db1e6701ae8559b407ec2c

SHA1
de9741f46273fd78b9cab4817093f2f0b3c08824

SHA256
ddc625e9f20c08af036a5be9b421abd906d18c7504b5056c93c7f67cc98b154d

SHA512
8a39b147d673f2fc4efb976506b6588ea7a36ecf51f2eb3094da0582c1397457754495af2e5cb6f8cc0ce106e7a3718f0a7d6389806a9a278966f3d826dafe0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2350ff63dc65b159486e0ad55b75b187

SHA1
d7e181793e210f735e9e9353f4022391a16c92d8

SHA256
b7c436a480494177c60660c05254f23566d09d0607c408c18f4e3faabec678bb

SHA512
ca329208d02a97bc8c46f1563f1dd525bcd6637158175798ba02ae1a497447651b0308d04e1f379aff91a1651453f0f88645bafb6f1bfbaf4a9753bcfa7dc6ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
388d1c78f28e274b2dc79485be815b19

SHA1
6b9489cb3fcc2ad0ec58c9ee5b147dfbe3a3f3c4

SHA256
b2ec602649072200e641dacbdcbcc4bdb050a80f878017460852b7c7eb40e735

SHA512
50cf9bfdc660b1373f070250026f4930b5f70ce65436ca96750cb8178b06d66e3259358431d0319cbf8ec1565c66da80c008fb0cdcf2f51c46e9760270d10aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bcb566cc25c7ea687c742423cc18584

SHA1
4d83997791489ee58f1ed96d7d4bbbe00b25258f

SHA256
0b15cad165865c5e26f0aae4fedbeb9931a7bb0ac5eb3e29410fc8821ed3ffcc

SHA512
bc1d970cfbbb075cdf5ae20ebef0031a337fc63b448797e2dabea9c14886c27648c5d1a19acf4a7fdd0a8d09d6f4c13f4bbc1b434e67cf25da7a799a368551c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b01918ba71d629571fed6970755e72a1

SHA1
3dd50a356dd5b8526037db054d1b27f927b3bf59

SHA256
e1e277a1158d570a137e008b0f075e05ddeef51a87ebf62719c04c4f16ab9de0

SHA512
839335f988e2fe7e05e56e2d38b313a9f280a66c191ee7a48e513afc0d5e79fdb634f6b7b9e9f5f3f9bc1c8c321aa65821753333f4884ba398780a66ece2c720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
314ca28fb7745ac3087902318118db93

SHA1
19f733cf00da082b3d0c35c8133c8890162e5b76

SHA256
70964adf6778d454a4634b24932dea383f3e2e31273ebdfe2eaa1722ededb2ca

SHA512
ed0b6bb91e2ccacc630b5c038d56694c16ce4625e4b14da6fe2b13a4fd3c9ef120e39912eca2e28706fad53b3773d75f63f777bc34fd4a4a15ce9899f50b47cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
426081a96ecfa06869432953b8418f30

SHA1
438b58a4c5a3e021e4cf9b65ea4dd496477cf058

SHA256
3286773145caa8c4d4380470beb679c713372bccb8b32064c3feed0560d4a55f

SHA512
6577fb529acc1e405d8c08412b257b597ff9af217aa294eb6d3539ab62fd9355b00539e415f147f98259fdb07a031294e766330c8d5091a6cfb6eccc354d7e09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fcef7171a709f488ec20b8d67023c45

SHA1
234b1034b676e4d56c46670bb5f673ba2dfc8530

SHA256
fd70912cc9eb2d32bda2c6d4d2f3bf3c50fad3feca34353285544577f6ca9a07

SHA512
c1182723d0539267aca3961d5de797e23e5f1bc85d13047262aa9a31e87083b246e1612e2066660bfecb0e8eb803500ae85f63ec5a1712a0c82a01b302259ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c54fb5b91b714df1b3eb31aa93f1e7

SHA1
b17b093e0aa2c679c1c2234a22f796c1ce3561eb

SHA256
3184762fc8d052a481ef04988979066d0c70f3f4f515b2b5a873501ad173ed45

SHA512
4d36002c02429f363469e5280d96d09e1acce5a970dbebd7b924cdfccd5493921e8852b9f3775fc3801ba84dde9e019524e8a91c33715f39d358fe3b61295dba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a4f2ce5f121f5921af9070372c2aac0

SHA1
41fea02a660aa84bf341078647c40247a8994119

SHA256
2ea11a0cc570cab18948ad48cd1beb644154ae116ebe4c0d419317278f3f442b

SHA512
6f2717f4784e1eec5790651719ea6dd52dc1737917d87f821f0f8abf2f683e00411d3c81069e750b7774a670177ca02e86539f4322cb130aba79398157724e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
311605403dbbc7f9342a2c419645a08c

SHA1
c255a654dc1e36a6e7004cce3e9769b68f9aace5

SHA256
b1405002e5797ce368cdec98e98362043fd50ec930b02077d4e60c6daca8f58a

SHA512
1a5faaedc3997fae6bbc1aaf03308992ae3162fcf885244b4e6de08d30522d9a06f93c5e4eda4098085f19a0cb83a949afd14db435e86d7b6ba436382dac5fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb25503bed6c94c774fa7ac6e60c0960

SHA1
e9fdcd58041d34a7541578855365cf8b788e47a7

SHA256
75dbffbded0a3cb138eb6b609a3e50e0a7e7bf92deaf688509a7f67e8a488eea

SHA512
df330ab31b6417cdcd98cbb3463373eb05f48e935af923f07cca040146cef7f1f4215b7ee7a77489373e004eaf67f6646db9764851d9d3605699d57dec370254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8b363615039e9fbdbf7b1e9ceba950b

SHA1
491e24daf2497cac5aad112469dadd636d22af92

SHA256
f0b3fb5f4628b50e92ec79561fe52b8f425fb2af63e260c351733d180695d62d

SHA512
b00f1f88d5c1eb1e5f711074b9de9c6cb2f1e2af4609be275179e3e9d17efc530a0ea2a5526b84c93e511224aa33b234431d4aa80f93bdfdceb3deab2d5e8da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7533.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7593.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e837d74d78fffccba662969c3819260Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1940-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1940-25-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download
memory/1940-8-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download
memory/1940-7-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2340-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2340-11-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2340-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2452-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2504-22-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2504-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2504-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2504-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download