ramnit | 5d7818e9458ee31d2a5aa63b27fbd0593c6816f192774a3f8e8489af3026b2ad

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/01/2025, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
Size

1.3MB
MD5

62f71140570e0946e49e9792bbdbaec0
SHA1

e3cf9eef5b6528eb227bb4b561550a7c88a3ea47
SHA256

5d7818e9458ee31d2a5aa63b27fbd0593c6816f192774a3f8e8489af3026b2ad
SHA512

b513c456bf4e13559aa2275348fa2c1964e03a71451d9d1b3937c1be1c4bf859fceba40fd2457fc22fa1af03227ee6cf2a960b252e1250133612ffeea1d8ac87
SSDEEP

24576:htb20pkaCqT5TBWgNQ7aLwKuJJZ8IqhnW2+KEHJHUuYyYp8bqZ0cOyKEYZ6Ai:yVg5tQ7aLmJJZ8nkJHTYsOecex5

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
3068	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe
2320	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
3068	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2672-1-0x0000000000900000-0x0000000000A5A000-memory.dmp	autoit_exe
behavioral1/memory/2672-20-0x0000000000900000-0x0000000000A5A000-memory.dmp	autoit_exe
behavioral1/memory/2672-450-0x0000000000900000-0x0000000000A5A000-memory.dmp	autoit_exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012116-2.dat	upx
behavioral1/memory/2320-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3068-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB1C2.tmp	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441957809"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0FDA371-C8CA-11EF-9982-5A85C185DB3E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2320	DesktopLayer.exe
2320	DesktopLayer.exe
2320	DesktopLayer.exe
2320	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
596	iexplore.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
596	iexplore.exe
596	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3068	2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe	30
PID 2672 wrote to memory of 3068	2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe	30
PID 2672 wrote to memory of 3068	2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe	30
PID 2672 wrote to memory of 3068	2672	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe	30
PID 3068 wrote to memory of 2320	3068	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe	31
PID 3068 wrote to memory of 2320	3068	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe	31
PID 3068 wrote to memory of 2320	3068	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe	31
PID 3068 wrote to memory of 2320	3068	JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe	31
PID 2320 wrote to memory of 596	2320	DesktopLayer.exe	32
PID 2320 wrote to memory of 596	2320	DesktopLayer.exe	32
PID 2320 wrote to memory of 596	2320	DesktopLayer.exe	32
PID 2320 wrote to memory of 596	2320	DesktopLayer.exe	32
PID 596 wrote to memory of 2684	596	iexplore.exe	33
PID 596 wrote to memory of 2684	596	iexplore.exe	33
PID 596 wrote to memory of 2684	596	iexplore.exe	33
PID 596 wrote to memory of 2684	596	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62f71140570e0946e49e9792bbdbaec0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:596 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
709415c7684b52b7ac64d64bc1b279e2

SHA1
71572eb7a455432d63d7e1e6431501cf0c9d14c7

SHA256
49b5acd749067b95b2d3bae0d3e69c13bb47db132ba0a47da258f325ae35383e

SHA512
44100f86168e48719e60a106dcbb00155f6bdeb12b3d743977a81fa7bb908774601db5b5047e181bc17ba3dab309b3398529df99e0297b65ae8ba4978c73830d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de52ac61b158502698dafe44ac57cceb

SHA1
2960cb8617a3038cccaa084c4183f8bb96566eeb

SHA256
51f337d935357555a754e15f756cfcb8a2b02d9aa783800b6b00f9eb8d17aac1

SHA512
421e541dd6e35833e2acf123a39cd1561d8297c5d68643ffe9714cc0ad4e7fb9112cad2a941e1091a3a3041f5d6d7cfcb049cc01a905ab0e0f9f0a5e90381363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5015d568eb8698c876062a8b2715792c

SHA1
6cb350d0acd642ffd5e5f66dbb5137d958cb1536

SHA256
82adb179a8500d052b96ab7875de0d91b9bc6fc42cb43b5eaae8023fdc96d5c3

SHA512
1d31c18f34553e2e9a2584cb5c80417b162be4f352788be4f3433a808710a73f7e99043e3463744b2db3411cfd8ac557101c8a6577524e829ad7d922a31d90c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
014be008afe8734d4e17fcd5491aab19

SHA1
d0e8d812286d189225a1d7478a951babea9f67ba

SHA256
1cde85725a32022794fad301580bd61b9b62b4ba1462425fa535e4d520b34fd6

SHA512
687b9345a445e5e555aae053d70b2dda9aa40d79c6b52f38b53642519dded8056a8e65824548cab381facbed5790d5317ea338fac416f8d808f1596cc35c3053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95b5571b415f35251273f7d5011c5dd5

SHA1
83e9507a975dc0efed9689665fd7583c569d017f

SHA256
afd0e15f34849095e605913da0fa842d8cf0c14874f81e66c831b10da06fc3f0

SHA512
8be62816d5b65e0ed06eb79c42a40545498b3712785d9f7808d3d4b23e42a0989ea2011ee2e6918e3e62a3462c6c208992d357865ecb2065dec97036297a6690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39b7a5b51ddb6fb4834f9dc5df5f2602

SHA1
59b10f2df6134ab0f38211bd3abb942a004c03bd

SHA256
a213525d12aa0e3f3cc35ea815b1cd8d9cadd5c861b00179a525f0e0248f36a5

SHA512
c0f0e3ea7d8996aac7af1dbb7fa02c60077c0d9a42853ef8c10052d35998b9714442fd6e67a183528c05e310b6f7e841259639ecb8d390a90b3d9d9842f021ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adebda445bc3f92b53c2380a7e26890b

SHA1
b53c9c7c8e74d9a9612a3489970e993c2b982bc2

SHA256
046df732ac33a361663cd9f4b886b646630f3bfd71943e67d33a339832af67cc

SHA512
0a8455abb07f96cde920ac1d20ac12d4b216c2b69be8e05fe18d30e7fe31e4c837e830c42f6815d7b9db6a7781c65e9ea41ee6953b30af7a66a72709be51e202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab9fc6fa27c268679c0f8424f7c4e444

SHA1
3e4f974e6fe469fee9b2c888b00b8ca661469024

SHA256
39f1329ab9ca2413cf2501329f9ebc5800ae3bf13300d116beb6a72476ef1fa7

SHA512
aec78eeff5c27a4a7211aab9934dfc59a29005e670a6b3ad673a76083cc69feaf4d74142d83460f336083aa83306c1e454c9e14875b5809fc3551a69c7738574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c21a2827fed0e60948d543ac8ab8ecc

SHA1
18e3f6c5d8be4847ec7803e11b366b852c1ee2e3

SHA256
2a022d04110ddc5646d239158ed5e9c4f2adc1608f5a96bad319a158ccf590ea

SHA512
dd9bd950314378bc2ff8755641ce98608417e0dbad105840f6eed59ec9da804d4454a591e320ea3a2d8096c54cb4d2c01814f3ab27ebbc9288997ee6f6417032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57390dc8673db355d39fe6d33b476f86

SHA1
0f583e5c309996aa26f5009bebfe5cf66f1c2ab3

SHA256
556141c1526030059d65c8db7f2f327529eb1b3527b0a2cffda3adcaf780782b

SHA512
724caf5b6bd56eda8cd5588807cd9c0a46a02195b248c33484468d4adf5924adac7ab60ebc2e61dae1b95a67c7daa63873c9f756e5998c28e0caf63365b90a22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
336cce852ca5f3827ec486e467b22242

SHA1
469be32513775f6a55c9657cd7cd7695314e431b

SHA256
87d0086c5c0b0dfd529c12ff54b2b479a73ea98e71f36eb27b26995909147cf4

SHA512
3fb6fa944661715a7017530ef1d97e3d73eb284042133e5dcdd8f99570390c564c6e9da97d51140179eda6374854895dcb4982089d16855bddb935725df73c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6b1ef371f1a95e784aa5bfc5303aaa2

SHA1
bd3185ec943756a3811bedba2f3652d0512b84eb

SHA256
25f42a32a689c55b9df31ae2c11427451d42c859b718ec771d74e90e1f6567a2

SHA512
a702df2eedcd14f3c3d4cdd55891c95c4cc22bd2d92164522ee5b3bcf5c11a46c094cd195471099762055069694914373d8ff2dd2cc6daa1ce572d4f3762a355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34f472383e29e3421e2bfbdd2694048f

SHA1
3e5d535fa4f42bcf88bd814b68ea1e08e96fb856

SHA256
6d6a079a0efb3e2d0857ff3032de9dc47089d4d7572541f77983469a25b2ae95

SHA512
5e1a232da1a1fca99ae7cef57ffde84a7fee7284a11ccd74b66872b06771c39f4a429dc8ec93b7e1b970c7428761c92be85dc1a682e3e1950598e05f60d63799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca0c9885e31e4c8a6020323452c8f704

SHA1
5ab15483916032ae469ca4fca03a7d15c2045e2d

SHA256
7cc0baf5baa60ca3fbb5a08b7787f1e6c044994a2f6eaeb6e03c21f109c588cf

SHA512
0afc851a8ed33a13abadd15d881d84ce44ee5d0dec55c0f4d989ed7de10a89cc5c4cdafe39a2cd0bc93c48ec1b4cc045de515b7c1e4edd6cbbb73e6a3a975545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ad180561e7ca0f7b6526b9b288f3610

SHA1
fcdee593f82bb811a85b90359cc53422669595e8

SHA256
cb300422d0d21e3c033efdf64ccc2e41250214ef0a225f4b27711cf8229e024e

SHA512
735475b06adb9f31f515b4d3b0829faf325808b307224b65d0f68bb380f744c55093ca64fb17e603f5dd08ff987c945e4b69d697eea8037a4256db3daa715a43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b5b7e0e6d41aadd36e889cb26626b9

SHA1
13ff350828900eec83bf73286b643100d69db7cc

SHA256
fbe018cf3cb7b2e09091f3fdd1bc70f69fa435399734ca284d4da5dda2a8477a

SHA512
69167274a4edbd84832b42a0f177fff7e2b48326614495ae95330976ac59965eeb20020424895d01afd22d242a8fd52e85449b84824de46a901ea4053d1bed3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ed7cc95dc1723378751646a9d730439

SHA1
cba909fc2ae70a7f64d3c2c893c579ffe74af56c

SHA256
692a380347accabdacb4d23b0bc84048f977b61e8262237311034112708adff7

SHA512
c32c03315f7c51f385deeebce098498dbcc6781f5dda6cc1aa76936ceff64bc5c3c58ff2cd80a962c970d581f2b68087ca1f694bb6d2990281ad9e901a474db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99477b2e7ecf71d28548eedfc968396f

SHA1
60e74ffe255cdaeb70fe7a3a18c0f97615d61755

SHA256
862ce10f7962a170fc3996debffb196d39694ca69fcd0457f2131d561e316eea

SHA512
ba9560f6348783f5b6cb2143537c5500fe5acebd906436e0134583d23a74ab38b534372eec9f42ac6af78d1c756fa87426a033aad55e0041a8ddc9bcb91266fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728c8d3b05c73401dc2ed1a4e3b04952

SHA1
6587462a1335bd679636a1e462f1e6f67f60c125

SHA256
97be7bcab27543141df0315f716979182c2f26d13000c02c4d410f9cce5794e2

SHA512
d0947cf3bb358b80bca7661dbded6a7bd742b6cd5673973d88e09d6dc50efd11780c2aed77a03cf23e4d7e0f406a8304a909b5525f63cfd43145e42fde91e8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD2EB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD35C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_62f71140570e0946e49e9792bbdbaec0Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2320-17-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2320-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2672-450-0x0000000000900000-0x0000000000A5A000-memory.dmp

Filesize
1.4MB

Download
memory/2672-1-0x0000000000900000-0x0000000000A5A000-memory.dmp

Filesize
1.4MB

Download
memory/2672-21-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/2672-5-0x0000000000150000-0x000000000017E000-memory.dmp

Filesize
184KB

Download
memory/2672-20-0x0000000000900000-0x0000000000A5A000-memory.dmp

Filesize
1.4MB

Download
memory/3068-9-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/3068-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download