ramnit | 4359cc0978b6fbd60437be4cdcbc78d0ff180083dc1e9161bf10ec7d972dd618

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_50cc4f48fe6030d635da684241460615.exe
Size

1.3MB
MD5

50cc4f48fe6030d635da684241460615
SHA1

704589bc214fb39f206246f8db1db046dbe2b3ae
SHA256

4359cc0978b6fbd60437be4cdcbc78d0ff180083dc1e9161bf10ec7d972dd618
SHA512

658d424db25fb881c23304072461ee243f12c114500a03b20d4fb1d142d4f3502613164ffbcfbd0b95a237b3ec894c4bff7e6b6285d71436263ac0ebe7113f92
SSDEEP

24576:/8nI+Ou7x47vEowhVSuk4Dc3TBoxZr18+qTDM7HfOeEiMjYpX32SRuZWUe8j:knl47c/kqc3TBox55qTDi/O/12xRuZRt

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1684	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe
2860	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	JaffaCakes118_50cc4f48fe6030d635da684241460615.exe
1684	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000012000-2.dat	upx
behavioral1/memory/1684-34-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2860-39-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px139.tmp	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_50cc4f48fe6030d635da684241460615.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EAAD7A1-C827-11EF-AF60-7ED3796B1EC0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441887610"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2860	DesktopLayer.exe
2860	DesktopLayer.exe
2860	DesktopLayer.exe
2860	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2724	iexplore.exe
2724	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1684	2420	JaffaCakes118_50cc4f48fe6030d635da684241460615.exe	30
PID 2420 wrote to memory of 1684	2420	JaffaCakes118_50cc4f48fe6030d635da684241460615.exe	30
PID 2420 wrote to memory of 1684	2420	JaffaCakes118_50cc4f48fe6030d635da684241460615.exe	30
PID 2420 wrote to memory of 1684	2420	JaffaCakes118_50cc4f48fe6030d635da684241460615.exe	30
PID 1684 wrote to memory of 2860	1684	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe	31
PID 1684 wrote to memory of 2860	1684	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe	31
PID 1684 wrote to memory of 2860	1684	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe	31
PID 1684 wrote to memory of 2860	1684	JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe	31
PID 2860 wrote to memory of 2724	2860	DesktopLayer.exe	32
PID 2860 wrote to memory of 2724	2860	DesktopLayer.exe	32
PID 2860 wrote to memory of 2724	2860	DesktopLayer.exe	32
PID 2860 wrote to memory of 2724	2860	DesktopLayer.exe	32
PID 2724 wrote to memory of 2616	2724	iexplore.exe	34
PID 2724 wrote to memory of 2616	2724	iexplore.exe	34
PID 2724 wrote to memory of 2616	2724	iexplore.exe	34
PID 2724 wrote to memory of 2616	2724	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cc4f48fe6030d635da684241460615.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cc4f48fe6030d635da684241460615.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
073f6d4ee78bf98430b0dea16b50447f

SHA1
acce6e1b84d3563c455c457a513c13d967494b7c

SHA256
e4d9492844533c19f6a8ab0b572b01fcc4cc24a12c2eff53bc60caa7ccddcc68

SHA512
103a4af6d8e926ac8b5378d0b5a00dafc1c0fdbefeb885d9dd67b6e32715f762f3c0b4d2a6d99662d49224d022036ec74a55e50413743a94252c703c96757638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76630f89f177a01085e41a0021f0a782

SHA1
d774895ebbf02e1fc7bb22cd88dc4228b2ca3f52

SHA256
c50c4f89d19d4946204c70eb72b1deaff815407489856a90bca96bfec82af20b

SHA512
afe4306d5283db85d8958fcc15352266681467f4a384f7413bf77461f9fd6769678a912431ece30c0ca87a1a75b7ad41785476c400ceeb6bf95ce785962c1c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
218575975f2bc9d76dfcde25ce990f54

SHA1
fac0f1481ec7f6a61a94e2be59de9f974a7c82db

SHA256
7e4ae400598860a1e7d5ca5268f6a08eea7786e9580756dffe0788b909589f8f

SHA512
7af8acbf7e4f728047b4264317dc6ddeab82d9fedf97266a73cd0ae99fbc8e029e95c6fb80311b24c982aafaaa0253de1ecfca7681b7500ff91ac54129b2a69c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9c869c2b6cd6eec6de98bf3ec06495b

SHA1
c9e2b7b099296c46c484137c8d75b14c7b140e5e

SHA256
7b503110dd46f335d342065b1747cd40a9a451e280b9641ea28261af86b59cb6

SHA512
c16cd6886cad1b2a7909aafad7a9769f6b6dfb86e58ae5bd6729745c3ef68671a82aa1c2d8c3c80a2a6315b8f4bf931a16e1b78faf89b26137adef64776be2ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f9b2b47406e32d4a12cabb0531befe8

SHA1
4fd420f94beed29b211e74cac9af11edb63823d8

SHA256
f3d78e45cc36de1a6dc3ec18d5e980c2c214fc726b399d70133aa114caf5d78b

SHA512
2a7607a7609d00b4005b912be327ee890751296b3e8041ba4ee3cee62f4a99339bdec156314cc177eb3d75b1716c79e6bd90756274a521e1c18cf8f6707f5312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c3645d1da0ffb3eb32b8471463407c7

SHA1
505d0b536ca182c3baa5280738dafd730c8d06e9

SHA256
6608d81cd821ae8e05d2da3c945fd1038a61f4998bd489cc5d9a068bb49bf1f9

SHA512
ca9aa8950e5d0298042e8c8b5903d154e930e63179a6c8920c9855775196e06541a63d830e9522b88a2c8113184bb3b33a5e4470959bbd699c6574b29342d05d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc7e72053068e1c0d3426bc3e5583bc4

SHA1
30c7866c568c3655c91bdbd292a3c7e7b82f3b04

SHA256
3b7a1dff759cb1e4b96eb4cbbe3764eb56997bb86a14b3a542da33c8d1c82427

SHA512
111aac06f4efbf0b611d0d947ae6688a3892898194a7a1ce066176d42818e7e3cf27194bc778c14ad164529b0e9e34628fbcfb34ab4990b0420fa30fc1d7b9c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e3f9a698fde2fa02e4cc1dc01cba1a6

SHA1
f5d5986b4a839f13a8c59196bb6c163506023616

SHA256
1766b912bb93d88c80af52d329b88431f1f7bab2d0de91b2a583933da7c8f6a3

SHA512
fdff21ea9c40d31bed7b81ee6d43ed751ed5be7ceeddce23abe30468d3c531cf26188355d8d44233e9fb713d542f69f1f16384b4222af41eb58d4b080591c83f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6068993929becda04c4768b70495d078

SHA1
494e64f4ca3e86036412ae0c9d3f18f1383a95d4

SHA256
e7ed894f4b92e971c29065090535f2cc2853845a12ce4f45dd97b861d7c4821b

SHA512
af9fe4d4a1671cf7adde593e270df437dee7d65caf61427402a9038925035cda5708e9ec527a81f24773ca87bae65b734680cd9b144a435ae94f96896ecf26a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
475dc194ebebe7a26fa7ce275634e75c

SHA1
2992a06764a205fbe3b6c65314ba6d7fef2feafc

SHA256
437e1d64a6f5f6a2566bed67c0c429c6731b1d3484afd4ca1d236660799f8c4e

SHA512
d837f21d3c0d06ff269b8b6e5f66b53ba1578764ac330506b4e561066cf1c265e1d3bc001b638b41a5bbcccb8b998c4a56e27987ae689a94194c93da58a98ec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30b6788e098567aeedc9e5ba0c10a775

SHA1
ddde5432a3ab1834b1b37cdcec91f2409f30a46a

SHA256
e37ce1a6fdfb1f3203d58f9fd113923e4be7e000927d56087ecff6f772216867

SHA512
1ede607e2485fd493b43c0cf2d5c8f46023e85a14ca70758c43a03a93cd5f5604d7926f22325351628342c927c73c30cb9828567b2ef23d7cffbbb0e26deee75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abe9d49ab1c63f52291300c1d8c52597

SHA1
1e9f8c2664a8645f664f526f9b0a76533e1445fe

SHA256
cd766e2f41d325cedb4c3c1b0fe91b4f3cb77696a98e22d530d4fe558339f915

SHA512
527a31778436333b8c4f873f44e06ae6c0269fb02a8d5649d3ab1bfd4c96a449a508b0cf06a29be9ee6795966d1b1c1f6c4c4643ecc8cec942cc719c9c9a0513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d52b5f460b8d811a8c3cf6f8810ff100

SHA1
542ecdb6b613f32ca34543c29d0a780c247ef956

SHA256
b56316f3511cb3f621c75075e384f1e8524793a84bbd8b5a488340f488070746

SHA512
ff5d01c9a0c89c7636a3b7d11fbdaebdd918b2d14257e8b94edbb4b9b4944f2ba71b1b995344c937ae71a2d7d6abe2531c7cfec02f82bda5825d9bfd45e583cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c9c981f596dc10cc30ca44c9f564d3a

SHA1
aa4d2ae8568b660b740c729fcd1055fb730adb97

SHA256
63e62f9da39d02f0e9f960f864bb11a9f4fd6a6d59fc35ada7c5015ae7f91c1d

SHA512
949a8095d7c42877a071da1fadf63a482ff39a91dad708a78cafd4dfd9cc39df1fdfe6d4c4e3364fee0f4126e0e1e620b2d3c89bbdbd52097d322698ae7245a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d10cf42cad3fd3d7ea1a9d8764b4b008

SHA1
2fe9768a7d7bb9b5a1f0ca72d086c4c4f5b27ccd

SHA256
fb5e262323f7e63f01b386f58ca7d73dc27fae5d3c89050e5aa4b2618353fea1

SHA512
b11dd4513b1414e1cd55df3d7c197f5fb2f6e953f2ba23c63d7f55cbcddf056bac44caec7f4ab115371001b58cbbe19a143e03775e23020af907d23965c33882

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06c3928b973cbe68b104a3801a618430

SHA1
c7d107d569821e4f0c716f2e1a93228a01a8d899

SHA256
12909579ba3e33f90737c29524ca52813d844d33c50bc8bc219a89652ac1f03a

SHA512
7deec4dc446c803d11b259f6602a4b0be40378447678b92c45d976788102ba455d7d65cdebd2e0159ab84a3a3c6b501216d1bb453c020738d66cfc1e6ff818c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fdaf209c60707238032d19bcfae9691

SHA1
a68a4216f8d770df188fcd6328266e938f761bd2

SHA256
47dd2489e31daa21440663d6e6607e43f7958958ae94964938bca12294bfdb46

SHA512
acd8cf42de31b5c99b9003aa0e65104ae67387a17894bebfa64e6e0f4e3942f6a060cab6dabacf315733168de63b7defc595661117687c3b0f20691f623bcfbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5817e6d526b8421653df68315ff79ce

SHA1
89b50ccdfcb062d55b150c13b1622ab71ef6c159

SHA256
fd596893d409aa5785a9ea1adc6e2494003b086a5dedfe503d076776b31057ba

SHA512
de2189f6439bea7a737386e21c05dc29514be3cc67f78f747a16c4d82921573ecbc8a53e4694fc7e62485cfb5d9b5764f5eb9401f6a3d00c5654b89044a70b6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05fe879d28c8aedc1639c986061e04a7

SHA1
f6243c2b99b23d93538f5b36586da5011159730f

SHA256
3938efc150e43a921a92dce626bb8a59bcc3df86e6563f8447c8de67ea84e7d7

SHA512
6d64fb51c86eee7cf1d7d7d5bac2a81cfa25f714783560d8f65f96059f9ad0ad69063ae213c071ff317f079c860c79dc3a90c0564548e09d839bd600e6b230cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1848.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_50cc4f48fe6030d635da684241460615Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1684-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2420-20-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-16-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-51-0x0000000000840000-0x0000000000990000-memory.dmp

Filesize
1.3MB

Download
memory/2420-50-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-47-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-46-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-43-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-42-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-41-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-52-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-18-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-1-0x0000000000840000-0x0000000000990000-memory.dmp

Filesize
1.3MB

Download
memory/2420-23-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-25-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2420-40-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2420-28-0x0000000002350000-0x00000000023E5000-memory.dmp

Filesize
596KB

Download
memory/2860-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download