ramnit | 8975781a7ecd529cd700437f2e958831058c325422dd1bf7507cb8a5a9884fda

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe
Size

180KB
MD5

540667b9bd5caa73a4a5d950bf4b49e0
SHA1

09a6453fd4239ac4812438c241d14853fad895ef
SHA256

8975781a7ecd529cd700437f2e958831058c325422dd1bf7507cb8a5a9884fda
SHA512

17e1c6107fdfc04494e27edf47d5f84f9cdc5b9b4231a13d348fd8c33ddbf01345ad6157e1e3bd79dfd8d8f3ca425a6ce9afc86dbdbf8ca59d0938f41955f9cf
SSDEEP

3072:or7cj66rUPSHJpode3ZnsPC4PuCie2TMifFgEkaWEqnT727DfWnb:ntrUwIe3ZnV4Lie2TMifyF+iT74Knb

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1872	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe
1828	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1568	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe
1872	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000120fe-2.dat	upx
behavioral1/memory/1872-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1828-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1828-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1828-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1828-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxAF62.tmp	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC6A35C1-C836-11EF-8EB4-4E0B11BE40FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441894210"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1828	DesktopLayer.exe
1828	DesktopLayer.exe
1828	DesktopLayer.exe
1828	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2336	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2336	iexplore.exe
2336	iexplore.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1872	1568	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe	30
PID 1568 wrote to memory of 1872	1568	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe	30
PID 1568 wrote to memory of 1872	1568	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe	30
PID 1568 wrote to memory of 1872	1568	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe	30
PID 1872 wrote to memory of 1828	1872	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe	31
PID 1872 wrote to memory of 1828	1872	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe	31
PID 1872 wrote to memory of 1828	1872	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe	31
PID 1872 wrote to memory of 1828	1872	JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe	31
PID 1828 wrote to memory of 2336	1828	DesktopLayer.exe	32
PID 1828 wrote to memory of 2336	1828	DesktopLayer.exe	32
PID 1828 wrote to memory of 2336	1828	DesktopLayer.exe	32
PID 1828 wrote to memory of 2336	1828	DesktopLayer.exe	32
PID 2336 wrote to memory of 2640	2336	iexplore.exe	33
PID 2336 wrote to memory of 2640	2336	iexplore.exe	33
PID 2336 wrote to memory of 2640	2336	iexplore.exe	33
PID 2336 wrote to memory of 2640	2336	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01b570ec76536d6e5701b03d4eb8f6fb

SHA1
d97974516442748e840992db4d4d3d0a9b6dc01e

SHA256
0dbf64a589e397e41ab2782e6b7834b307735f49225f5c06a72596833661e12a

SHA512
ad7948b9b2ddf9093e601cae10174f15781bbcb9886cc7ccef836447c0f373790f536b0b0b55a7d3198362333c99794552fb9271036590c16a25ecac0a4927aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e46e9fb2e5005429bcb998de3da6f5b

SHA1
9fbd1afd28103c2781518ff9b7eeecccab0e6ba1

SHA256
fdd97e015546edf20ba5dcdbab0f8294d1c265aa7fc821fca7cb5ae1fb8dab32

SHA512
d347e613259464b6edc26902722d308f716199cc4e2adbf1eaa4b1ff361795eb5c964708a6d5764f9a3e94fde1a9d7bf56f4e9cbdba667bcbccdbfb60b62bcb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a38de5cf40dcb36622c1f2345095252f

SHA1
4a843f2fb3bec9d1a8fa7725e0332aef6b89da85

SHA256
edd11d66fa5215525f4f2ee15abfbffbd85abbc942a76963de53ff4b524a6b26

SHA512
de1da76c393453c85aa02f89f3777fe456b06382440cbeae257e1582163201ce127ac54b0e9a690e6eda171d93c5a7b5c207cd72a76593c12842f1d8ffe10ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17affe0488037b0880d9e2cbeb7c7f3f

SHA1
3526f0f1afc721ef950c3fd21d433dae8e7dbefc

SHA256
602f5fe4c28f5639cfc83cd6daf914305fa9253f56fcc46e168cd7cbb9e85e1a

SHA512
9c37141e22ede2ecfbfee72e7043cb2221822bbf4ea31dc8936d93a03194f2d784399ba286b662f3f3afbebb54069bcbe49b86e4f85ccacc374a990033c80e40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f156fe4f658257e8f124658b7708c824

SHA1
b1a28c240e9928157b53e7318dab52d8281363be

SHA256
cd20621655aef7bccef7a865af47f877e39de9fe842f5d84f860ac13e0056a29

SHA512
d5d235c7ba932405e3a403c8314ddd96595f4f4a37d71a15dcea8baa6c7d231aae7d5b3b51d40495973e64d443a65a30d2cf8bfa665966aa8660efe3e2df8db5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
528b31c71367efcecc6fcb1b1a6cb795

SHA1
4792067da6c96574c0a8ff545b78faaefbefc5b7

SHA256
fe67d45320eea8a28fe44ce6d82dc369f21db8170c743ba576c84f123af0554e

SHA512
ef5c9e44a14f49e7c06fd76fab3cf9615fec1d850ba5e7af0fa6c14bb14ffefc65ba94f299cd1b848b0ea826d8cbc4e487cd4376264babced8c58ad574e1da29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f355d25e1c9950d3628d046a704de8dc

SHA1
88c055645ca43a57b58353e61e5d357a99c6b2ce

SHA256
07cd7d47c041d3ef28bf221d6a680348d5b2e815e35786fa9ab41f9833ae4e89

SHA512
8ff209da376df9cbb087d0f457fe7b28051794edfd397054f1240ec49b7deeb2d25b362973fb9910ae03aad1b91365136926b5427784217949273e32da9f0987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
821cdb456d311c523af93949bc24e682

SHA1
03a8c6bbb8d910b45bbe40a528d98acd474a6e77

SHA256
3865947dbbec4e101dc1b9a9523939e6ebf32feae5d9ff19286e63d76a1149ad

SHA512
8deec1dc7178d1f644e088b3e9707c3371a30f9e10939d917facb2ed0b6dc9b8507719a6e3e5d4cd294f9a099dad8476f873877863d4b46b912c637cf3ede9ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad864e80c2f8d68f1ce14de01ccaeed4

SHA1
9d02cc9ffac50fc5bac02449c7e924f06aafbf11

SHA256
baad3d00d7982dce03df77ab8c0528a3b43c8e0cd01e01a66ab8c96966804286

SHA512
0104b13ef03da0bf7c71ab5199a67e8462e79c564454617c5d9ab35385b380c15b661291c32d64e9c72f49022f677a30e6140e8148540330562fd88fd3d72563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77369ec02b2d61d005e7b11e1255f5ed

SHA1
2f5e4b188679bb91c132843caf86c30da383891a

SHA256
7c47b3618064f54c092611f9a3db360267fb0c4712f5e3fa0f23cc7c067173e2

SHA512
d19d4389287358083c02d15ea62ba40f9a72221f8e4f7ec3694464769159dbc2915c1eb6f25fceaff25a8c1ef297b8f6e41b3d9c0f17c7b428f4a770d65ec689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db525c090f84879d4b9542bcc7e20648

SHA1
98974c9e0cbd7baa52ca16fe34de2269477f669b

SHA256
e0680d9410ff6b98c6be210c456b03d502929ea6b92424332d3cef886d160eb4

SHA512
4c99b127a939222225434ca4cabf718734f6e0575a7a0d839b8f6c4ac937a326eefe35368bd9757e2a7ae837efc3a819c406bb11f28b6303710dfbef50278029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9554e73bbf78ffd589e012228c456afd

SHA1
1cf31be2cabe73a870ad334706f42b35eb307bcc

SHA256
135d248df94263175364ead1008d5f605c2fc58e89ed4c8de315911bd359b22d

SHA512
cce27af8d120ebbb8d3726a26beb24d9c724c60dd1f006cbafd273c0babc8c6655f0e6a975dceaa0ea3db3c03de4f8f3ecc72df9523c3dbeebe208066d0ce80a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
814b288f69a22f0266cd07322d99f7d4

SHA1
379f9e92a030c366ce63be7a51615502dca66968

SHA256
321b658a400d4a7e2f8536b1cbd4e582593adb28bf1cfbd776fd8988a6366821

SHA512
30683192fa3b57db3c7de4e06d4f1f013f01ec56fa76db2782761e0543a461350fc497fa7c47f43cc5e0f9a8d11947d453d7413b9d980adaa8c2bb60694a5436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e45a0a2303f006fab779088bd4d8bf76

SHA1
4b129453e112de3edd21af0c91d1702a484fa291

SHA256
8d5aa21559f098a39456bad568d9d377b89a75af07d9b5f7528e398cff972ae1

SHA512
58f82f428c6dd38dd199204a25b621046d7fb3e037d47be0ead3d6325ae4755a10b9b53c3adac2982ff8c59074cfd3f5e6be32df725717679631aa5c48755e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe9ff4179205adcb19589667a138c123

SHA1
4eb4a8dc7abac4d7d5c147b14e257cbd7bbb321b

SHA256
15b8d6232d0e8f80b656aa26dbcc2e48489c9a3cafd5f48162f2216260d383da

SHA512
d0391c567343fa6116c52fed1fad25a2981950b4bbff3056e39fda4c495f53a253047f30b528306b078602699ad683fb13bb7d068fae278ad306bdfc466cdde1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ff2ad65b869b0660eddfc05f1e0e6b

SHA1
ce44091e6696bca1798e76e7b19d9b67e90a563e

SHA256
b25f861be86256443d31c848a86674ef2b681e68c9034be52d204b11fb7ce391

SHA512
44454343ae08d866635ed1947e16b4f9331c0a95a5feb8cf169fb7c00f14e61b99c5aef06edfc42b11adcab83be114633c15114812d3fe04de6ec743ad4805d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28b50ebf827da6f619b1d2add18abe21

SHA1
b7d94e857882841313d69b9c752f4aaa9a25465f

SHA256
fb97197843faba97487631d096851bfcb8323d2591e8015d7b2ad55b98365262

SHA512
be436e352d69f8e8da5144c5cb2b58149f40f24124a19d8bbfa8fe5f18a7cf4e8538e4dfd3300fad41a6ba8251301b9e2b116eb52caddfa64b1e6ad6198ae2a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d82701b551e6c860f43210188ae13a9

SHA1
9d3b6e307a0ceb1ecf86fefd1f56f134dd3d76e4

SHA256
60ad9ee9c7802b1aac3fab604c13c0ed4713ef19ed362466f87c9eb653f17b6b

SHA512
c62de04146d3484e93a1ca2519540000420e29ffefb9635a207d54875240410a3435ac6e4e1536e2d086a14706cc8b5f102682ff6412883a56e7d10046137724

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7baf10d58c2a6f2b12bc75d26dd4475a

SHA1
bea6d5c299379364ec0b09c0aae2074a7c1aa9a3

SHA256
4f78be6bc035fe73aabe598635523c167ee912de7296d6f098a5f4375680297c

SHA512
d8c64552a4b9fe6d7ecfd171b9c4d80d609f2e7ce60fe8ead52a0e2e3ae294852b34aadd303056a95ce2a524411376b83a84b67314a1f621848beb36d7900961

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF32.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD011.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_540667b9bd5caa73a4a5d950bf4b49e0Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1568-884-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1568-7-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/1568-23-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1568-0-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1828-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1828-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1828-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1828-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1828-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1872-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1872-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download