ramnit | 840de83dfcbe0319005b435b4063b09fd7ce1584cb9ee57e43e9e25c5386baaa

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe
Size

180KB
MD5

76fe4e39d04e72e47e4ec97f97ef62f0
SHA1

f44b5c20a84cbee7773cc688fdfd5adae28fc891
SHA256

840de83dfcbe0319005b435b4063b09fd7ce1584cb9ee57e43e9e25c5386baaa
SHA512

0a81ddd05dbd127b1f4f5b188e2723ab526acb17b45875538d3d47e4ba78e3927be5e1f0745ce73d59afd3eff2fdd1c954a4d16ec69b29e615dfb090afe55944
SSDEEP

3072:br7cj66rUPSHJpode3ZnsPC4PuCie2TMifFyRu5Chz7ieNz56VnZmAK:YtrUwIe3ZnV4Lie2TMifb5Cd7xlDA

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2248	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe
2192	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1100	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe
2248	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001202c-6.dat	upx
behavioral1/memory/2248-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2192-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px94E0.tmp	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8172B31-CA40-11EF-A5D6-7E6174361434} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442118373"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2192	DesktopLayer.exe
2192	DesktopLayer.exe
2192	DesktopLayer.exe
2192	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1732	iexplore.exe
1732	iexplore.exe
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2248	1100	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe	28
PID 1100 wrote to memory of 2248	1100	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe	28
PID 1100 wrote to memory of 2248	1100	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe	28
PID 1100 wrote to memory of 2248	1100	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe	28
PID 2248 wrote to memory of 2192	2248	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe	29
PID 2248 wrote to memory of 2192	2248	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe	29
PID 2248 wrote to memory of 2192	2248	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe	29
PID 2248 wrote to memory of 2192	2248	JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe	29
PID 2192 wrote to memory of 1732	2192	DesktopLayer.exe	30
PID 2192 wrote to memory of 1732	2192	DesktopLayer.exe	30
PID 2192 wrote to memory of 1732	2192	DesktopLayer.exe	30
PID 2192 wrote to memory of 1732	2192	DesktopLayer.exe	30
PID 1732 wrote to memory of 2204	1732	iexplore.exe	31
PID 1732 wrote to memory of 2204	1732	iexplore.exe	31
PID 1732 wrote to memory of 2204	1732	iexplore.exe	31
PID 1732 wrote to memory of 2204	1732	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a7ff291d7fa769ffed7793ddf341206

SHA1
6aa7f53bb710f865c575063d75ffdb28aa0fe914

SHA256
8e251921ec5b5ba4fde62e71878fc0fc4503edf754919dbb6dc34a4b1257d81e

SHA512
8880fe799d4ba779d5fb76b23bb4da6374151aa0782f0a5f0313ba0db47965e3806a99f6dafc73fa1bde4859296072098dbcd6563db34e7901ad67d8a2535ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38693d1f94538a8572351a80cca65f2d

SHA1
3e90276a002b7a042f016bcac9a72dd7fd783958

SHA256
22110a3a5ccc55d9eddb5555b3f0731c2ff83279dbc92ec837f8db2af3386f0e

SHA512
15a4f853970ffc3941b9e330a5d53a55b5d337397e8a4c29a6045835b5fbe5ff1a6e992de20efe4903ef170ac1432f0fd86b19f3d4fa3165d7fb77f108976492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adeb75523c230ca3e300f08166b53b8a

SHA1
aadccc7331495bb6229bfc3a3d7913b17038ce1f

SHA256
b339d51206ac060e6e066c985a75c993df5e97a5e4fdded734cff40cc5d09fec

SHA512
5511605aecb911df534db95ea8b07f039eb02e37885920f28d0798d9ce2acf5e519311f4a6c9fb2e41815ba7541c2eebfb76484b958f568b2e95abdbb130c2c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
544d4fc2af68354bd9c0db55132c4fe3

SHA1
396c4d327d251c2598a409296eae3402e8e715f5

SHA256
efac5cb596e6fc4ee9f191ce38d9097944eec307e625dacc7da598d33e34e8c6

SHA512
e11039025c0045855a7c3eb32e1ac2382f7e0eceff6d2b485faf390ed10012a3ff1c2ae71e0cf880d2a97cead4fa1ce630fbd3e762036305bf685b11a56788e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c82d3d2078439a1aed6e320aae6d0fe

SHA1
bdd1e77f9cefb5c8896103075ebdb3d8aba98a94

SHA256
ec887228c0d3395ecb00c511f9c6d5810d9b90b650af43dc1bb8de7b13315602

SHA512
e4ad446c97110cb749b3fafe79e1ac4432d566df0897918e52ed3145e44c13dce0f8deded6125816ded60dbafae25b0406ef4b31f23bbd9e39f123d78c2025ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39a0767a08bbeba0e45fe690ee2b05b0

SHA1
2fb74399a11ae45fae8688e5375cdfddf4b2fe6f

SHA256
6d3a56a531ea937767b7b597d64315b628d8d4d0bdc0820119e4e37fdb8eb26d

SHA512
9516bdf99b508d191c2c1c0092dbc8795d2f933ce7ee28aeb6eb38040d80c1912bfce360744d36ed219d811ce61a2432fd8b7fdd728180fc06f0c5dd67b4b6a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dd146930135993f58619a50519d955e

SHA1
93352dfbdfe449db3a65b349bd86f80d645e459f

SHA256
ee433aa085291afeed61bfc8bc9c6a8fc6cffc3b62449ce6bdc20556a9ca44b9

SHA512
d29ae1ecb7a01c0b29ea75de0aff9fb239d63d7927010f5d9cb3d267b7fb91147f0d309a9fe519d110416f7c6db06ed512c8873d263cc410bc312034ffd3a4b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f34892815dd764fbfb3926e2797e8c3

SHA1
b363dc542cadc65ab94492f4742349b4347dee8d

SHA256
41977815c4d0c0874b3fcb555d8d555cdb509b3770804b4f33daac7b552820bd

SHA512
41b4b0401cadc1e2272412518ae92bb7ba9089a73037e0a9f62a3748faf9432e788cf169b6623253190c33b088fcaeb7e8a638ab6753c261aa2f16279e58875f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a27303c9b7fc0fef4b431958ab79bb48

SHA1
7e2ea1422a89cc1cfed80fcfd41171e033019956

SHA256
b2e5059865bff1878698196043eadbe49392517cc60df77aa78a75a100fd21cb

SHA512
b1a8bdf024975a62ba2ec8524a4676dc38968b20bb22327a5c4782ba2eba0e475e809c271f71b3e12f70f9d20b5062b2ad95fb9010890211ed7ffb555ee8eed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d962bed13e96ab3ba69f890b426d080

SHA1
29bd4e05d0cef35345b959a9fefc7e63ea9d0c36

SHA256
7c6403be9569ce471440af3658b8a1fa9dd8c8c66266a4d5b6d5304a37c23119

SHA512
39c83ec12ded39dc3d51eb7f589730d57841493c01f01ad227fcc57472f33dad8e4e56465541a08180d221ecb45069d6f24db844b9436e0903c6e7e2e23af878

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c85d058d55032b436f81fea9a1d5ffa

SHA1
0e5432a094737b6d15e330b2e896fd5c9f9dd284

SHA256
0f497b0d81b13343c6fd05a083918ba5270c929bbaab37f1d3b668f9ea9f41fd

SHA512
89db5c7c65277cc14e446989b0babc300eaa68e7e359b0a2d079347bb77a521843a3c79de2edd548f46762a7285442a9c708db594ac158b50ca083675a890c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfae9158d2d47e8967d31b00abb8c54c

SHA1
afd9a1da8264764b88cd02d834de4f6fb726b06f

SHA256
7647549fb948937f9a86546cabe738eba306c4a9da8a5bb497d28dd462b19401

SHA512
c3da88170b10b03e01ad086aa1e6c355ec214f43b4dd5c41293a9a45d90da9b9342ef412b928ebbaaed66f3c9b3c1df8a0ced9fc9ee27fd0a3e10429e1c059c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffb0fd3de666a46ef048946c5e925307

SHA1
ecc05300510ac479c480e83c3ae445c1c2a05146

SHA256
71ee33eb224ba3f310a992d1ddd5aaa9005813bcc2bde4a41d24bf4637b659b6

SHA512
4eea81bf8e243dd7aaf6126138c88645bcaf333b8709e812f84c6d956cc0bc9a3465165d00431681b647f78356e583abefdbdc1d059a44abde79d35922f348b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a3d26f81ba96cb23ddd30610a111a54

SHA1
632a4239ab150e5e3b4064e5abe4232b9c103c2f

SHA256
6c34b96760e5ee141794c240e2d5dce09db5ac6cc63688e3581f483b556c0c98

SHA512
646d7f005c9d5e9d4b9d0cbc347c544f2af0dc275f09ef3afa6f985e7adb3eca3b664336b0a9a53b0e13ccbc08a7ecd97df45c6bda4defbd6481d1f4c2578bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cb6d689ac99270b4ae363d40e8d513b

SHA1
bb0d955b89ceaac70e16bb6277f8dd93481c8b15

SHA256
39d110b51823c7be92a99b8902f43a5f0c15df03ab52fde96dc0517fb9fdd676

SHA512
8d2a4bf5573b6ec28464496367e4616a508612f6dcd45972ff0d36bfa0c8085453d5f886c94ef5fc73872c44816d338875b1c47399fa2f0f7db5be7b4229e48e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95b0f34435de6f0ccacb1d0690a8b62d

SHA1
c1bf2e0c785904058ff97997b1650c691983ac8c

SHA256
24a8806bbceecc45d39fe1fb4fc2cf22d6cfbfdc07cc3ec9913e66703d1f87a6

SHA512
6559bc56d67f5ff6abeeef93a43c9f2593c52d3cad6190cca0656a01dbe836057f69c69e6fb17523eaa2526b5896499e10dbdbe066484713b443644920a0b888

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4bdc4bbb32e7d19fa3f24b81b8780d6

SHA1
8b02552873d7b35c4512dcc4563c60e2fededaed

SHA256
a85732f69be7b2a179b3a8aa0b334e1a52a4cfa4bde523efa86ca5e9fd5a7345

SHA512
6887a1a24ede13cf09556f88d913a4ef58884c0c692983976c683d9c154a16999cac55ef59e3e47c58e9130b125a2836f1556890fe959a2401cf3052d0db41c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e8162955f2bf8bc9f93f17b0dba398

SHA1
ba6055ab14aa019b9e630272bc81c2f4b1846222

SHA256
747ab4dfbdca7ab4a3f29ef0fafb75a91c0f0e652481aaa2895185029aaecbeb

SHA512
bcd3c2bf000fdd98f5a9ece0e2fd9e886c1decf91268b022ddfbdacda1d4ea19ab8b0bd16a4567dbc411edfc15ba9aa294f1fd2e5169f64d70235ec7e3b5bfd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3af56ffc01ce4250e6fc732df594d7b

SHA1
226766830b752bc98cde6d944956cbb30453a23d

SHA256
2a1fdac0e0669bddd5dfb447377b1183c2651071199357cd11478d0c63780c41

SHA512
d3b1f9a6991276cc3d084df43d0a0477f9e1c911e0f0f10be1149d208efd1caed13402260682a4d4eedfbf678704d7b1f8d0b9dd84b96f33c2e5e30bafd9fe67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB667.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76fe4e39d04e72e47e4ec97f97ef62f0Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB754.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1100-4-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1100-885-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1100-23-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/1100-5-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/1100-24-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/2192-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-20-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2192-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2248-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2248-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download