ramnit | 26c0ed3277683d94f9fea0b579ee8d13da7a5b904278a2acb452c4aa505b8d69

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Size

483KB
MD5

12d616d93ea21ec2962f5d97485e987b
SHA1

1b60be15ba28018945b498a259953c0034af94b9
SHA256

26c0ed3277683d94f9fea0b579ee8d13da7a5b904278a2acb452c4aa505b8d69
SHA512

f96dfac790793b924751889c59c41cf5b323b7d8b31928a2744d065b4a3c70fcf4b30b46d3a73ef22e02294c585262a0250046ea1350414d3fb458c4c383ae72
SSDEEP

12288:NkwtMquzFKIUVz8u3Q0KiMuxbjTShrHwFClMx578eQnA:Nki1Ew5Vz8u3njfbsoCyP78e0A

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2172	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
916	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
2172	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000011c23-2.dat	upx
behavioral1/memory/2380-4-0x0000000000220000-0x000000000024E000-memory.dmp	upx
behavioral1/memory/2172-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/916-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/916-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/916-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2744-34-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2744-38-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2744-31-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2744-30-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2744-28-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2744-39-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2744-468-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF7B.tmp	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2968	2744	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5845241-D92E-11EF-9A84-E699F793024F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443759959"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
916	DesktopLayer.exe
916	DesktopLayer.exe
916	DesktopLayer.exe
916	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2444	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
2444	iexplore.exe
2444	iexplore.exe
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2172	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	30
PID 2380 wrote to memory of 2172	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	30
PID 2380 wrote to memory of 2172	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	30
PID 2380 wrote to memory of 2172	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	30
PID 2172 wrote to memory of 916	2172	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	31
PID 2172 wrote to memory of 916	2172	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	31
PID 2172 wrote to memory of 916	2172	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	31
PID 2172 wrote to memory of 916	2172	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	31
PID 916 wrote to memory of 2444	916	DesktopLayer.exe	32
PID 916 wrote to memory of 2444	916	DesktopLayer.exe	32
PID 916 wrote to memory of 2444	916	DesktopLayer.exe	32
PID 916 wrote to memory of 2444	916	DesktopLayer.exe	32
PID 2444 wrote to memory of 2844	2444	iexplore.exe	33
PID 2444 wrote to memory of 2844	2444	iexplore.exe	33
PID 2444 wrote to memory of 2844	2444	iexplore.exe	33
PID 2444 wrote to memory of 2844	2444	iexplore.exe	33
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2380 wrote to memory of 2744	2380	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	34
PID 2744 wrote to memory of 2968	2744	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	35
PID 2744 wrote to memory of 2968	2744	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	35
PID 2744 wrote to memory of 2968	2744	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	35
PID 2744 wrote to memory of 2968	2744	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2844
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 160
    3⤵
    - Program crash
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb841960cd4f9c67830012b538c062db

SHA1
8ba72e31de95ee71bc95424cbce78bcf91402796

SHA256
82d148fff4968aacaef799c18a6c812ddebb30321ff4f712c2f4704a0e748b22

SHA512
1fda712ac7ee2a0caf6a9bd02066d15fc094ab27a774193780b20d29ece04bd055bc1ffe792409c6ebc08df0f0ac1f5783daef5d65be7a9184c91731c8360619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f5242bf1797a9cf8477ca5dabd6674c

SHA1
1e613084c35d60a9e682d53040bf068f794a5f5c

SHA256
ef787a3d9d84552f127aadae84f2032bd152901e35aee9bf8c7f277cecb8fcac

SHA512
98df85009e205c8b873575e36872792f8b0fca398abfbb643b37ae6629825af19a432e4c887e76acd15b8bc08b97f630a16c236cf327c67e4c47083005cd7a86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36fe910beda7bff843a0ebd83e8f1cde

SHA1
f72bd5ba2d49c7ec65309456fd6f03f7ae709acd

SHA256
5b2b1a92588145b44c6793a5dccef87afaa00472de34efa7eb52ef9b51a542ae

SHA512
1779ccf74b4b38a0dcc7abc4551cd8326326e9d9ebfbf963926d29dc38e15cbea95155cb1e2b578aa98190e5e91472e884e87e0dfca48ca30c859838fcbf14cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38573fc971918c54236c3e3b71548f6e

SHA1
f54bcb3d3af89f4bdc98600c6ae26b9245452249

SHA256
e9bbfdad28c833af38bc3dd82a4aafed43a8f8be1343c4132026f4eb6faef20a

SHA512
b703f9dc812a456c9c4ed19cd971be13f2a5d9bb6ff8170f59b3b90320f117847f2f7d1e2626de3b9dcbabed2b2469d688987f44ad1e4ef7bf01b83d894d2104

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
751ac009c505c4ed974093cad48f35a6

SHA1
656e0b5a1b2159a68a1f6f236847aad24f70c006

SHA256
e7d696e1830c4b1a489b49acc63fc5534427ec9e470d96a6ecfec6b2188d10b6

SHA512
46f4f18dccb2c4193b620f9673f612ee20608a27ab2b2382a651813c3f80aedbe43de756911e7c4f51d04fb6f7173305b9a6184d1320d6271c3d22d1febeec0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c3e7ccb6cc7425f07bdaa4d93952de3

SHA1
06c3d34120205387da06208d62f46d4eeceddcca

SHA256
664532caa7d388418552f19ef75409127773f5d32576861c7bda99f3ce86850c

SHA512
bc2c9e7bae6f2e2e12bd72c61d35cd270ddd0ff7365db69cf4ffb3eb277a587743bf0b3f91536ff83d919c9058f9079942b498cc2ae9310a645f180b7ec08bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4656911c52efebbddc13866b11424856

SHA1
97566a0e21b5b033390c7075bf2d4e66c2fdf2d3

SHA256
3ab9a64cac0b23515648255f419f22366e91a77c989427fea0cba5ad3d49893d

SHA512
aa9163aa996ef4338b21c7e4aaab6b449075f2bce3ac5a812b3a70492d738b03bb21ca74bd730f60129acd08fcc002fac94db99f946a5573eb0d540d234d5f7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd9a4876a232195dd58b4d95f58e689a

SHA1
c32917d364922f8ef990660cd78f60e6d1df57b8

SHA256
ec5f91dc49eedaa8e96815b865609684bd2299bb48e503450eab85d5b100b47f

SHA512
77a8492b785af81d892878223e1bc157746e0111c2563dfefb197454ecc8287bedb5ce8fcc8fce96e6692a61406551c653b8ab52cf3af3255f9fbeb4ab0fa077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c908c361f635c658d22c8bb161c21e99

SHA1
74f27e4c7da0867b3c50c4dcc14f974176bece75

SHA256
63b86fd91e6fc133e72892ca1d8ba73d65648a2f61cc4f971a6572644c3defa0

SHA512
6a34a1f251dc4c014989983c38fe0b7e662d37a2d44a598d2846120aee08dd8ed64da552fd5e893204803e14e372ce7965eb0bc702ec378a70af621b7a8a163f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
836861b4237866abf834022e57fb1c0c

SHA1
67ab2678e731cdab9d725148985f56b972fd85f8

SHA256
1eb54fa1a55271de681293cdfebd080d3c657b58d2c447f27b158fc84a3cdf47

SHA512
af966740b1c6a40f412e4dd4757ba4834763aa65c8aa6496a6d50b479b814e7e2ef810dadfab60741b6d55431ef77b6ef1a54f7ffd3acef35c58e0278f859b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361d836c9f643d8971a7da13f89a1b6c

SHA1
6f0fbcc41f2d1118090e77201c4b3cdf0a8d9c20

SHA256
294c14f8c7d5f06d25c20cf3aee25b8f85d0b5334f309f0db9451959e663f894

SHA512
1c492c3dd274cb81fa2e0715a3509d918cbb625d924d6d1031571eea716e6a339bab9d13af179802697c466e8b5c8633a0eaae54311913b72566b9ae8657ab15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea5a5686e876cdd28129ab3351cf342b

SHA1
8aeb78605d99c88794e0c0661f0ad7db25086107

SHA256
06d723d10a4132f950161dfb390f7ba3cd09b891000436caf93a4eaabfcc3a85

SHA512
b77928e0cd29491c36a1a91cc70c2bd3bf00187b708a0e7b3af896d5d6bed736e9aea4eeea10de1bde438f38277b7965102f9e3d7ece6184aab4444e9e5a8d95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
179cc4008b7d49b7b34ae610632c3e7a

SHA1
44b029b1c67513f2a1c4fee740d3285e81680cbf

SHA256
cc745c7b85f17207c732a41fb7095bb11b0be609bb0e6d0f85d312f31777d1e5

SHA512
b7f572c6824a0f1270526854a7a584cdbfd45ad8112c00a37c2b9b5efd407503842b53589b64b08a9213654e400d92279d77a9292f8ab9885961fd2c71b57db6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c3a861be4de7177e1d2fc5c0ee42505

SHA1
ff8779979447e0ce961c8c08bd483eb2e13604c9

SHA256
5ac78d53880ae8debc07641df6a7abf2ef8813531635d3617957e5b89b5420e7

SHA512
df3a364d3aa61544c05ae9ce1b37feba0588f0f760c2ffd95913e4c23f797bd5895f7d61aba44eed00bcec04e11874ea61bbf25a5df5b91005c4729235ccac4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58cf77dd04adcbddba0fdf0bdba0e646

SHA1
25f5e38849ca3a482b2e857bc23803a3a1bbd209

SHA256
9f6ae37a131f2c9b906444709cac9b0427adeb2041d5100e548ff7e2d74404ea

SHA512
6fdd4d07ad5369272b58f660ef0cf667b9400c118b98129a2f4b26ad624f7ebcd1f2000a01e92113074ff5b47516874e2e013e2f420a764de8898db2f1062f17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a31cc09cb721161735a6d9c6c3ccf677

SHA1
1c7a1a7975b24b91831acc573b680cf30265d7fb

SHA256
1428e61d1db27654fe964d323a1394ee86dfee7ec023dc437627c76dba18676a

SHA512
4d6090f538ab321ff459a9aad89120e2cc57637bbc2f55bfdc828102b6981c8d78c29d7cab017f18601079e2dde4c03b0ddc08b94428c37dfc7eee7f5f0934aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bc92162dc9d4fcb1d6977017ffc6fbd

SHA1
5a537e1ac02cefd92ab43f2b047bb5f0fc50bcbd

SHA256
537a3347a6825c4182cd99885bdf8acd1af60e8f711345d6c1ce490eaa555334

SHA512
5b9a277f2c65c67ef34fc568bfd6853149ec5db19fb7bda848493d91b4694da70ce7470e6ede54164728c4c89de409330df59d0981c874a944af0507ab75921b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0df2e12aa6ba6b8a3f6a3f75ced230b5

SHA1
a207321e12b4c8e63e381822fc215fb8cec25a3e

SHA256
849bbe50082d95a1ae67a25fb1d71a155103b76da9d4167ef8f0b794388a1549

SHA512
16a1731e901ed403388bfcc6469a6793ce2b94731b647750d7edf91343c9c3ce8593656d082f67429babb177c836c6fece94dfee5e375bb16fc70939612940d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e94dd62aff92664f88ad488f6b034d7

SHA1
109f62670437538ce08e87d50d44b0680702012c

SHA256
23901d3a4cb41d4f3d24e7aa0122b293b7abf897cb6c2caa2a622a359e01477a

SHA512
ed3db3a3e2e8daf260fc9bed667816850699829003fae509ae88db790b84bf8523214cac470baf957ca1e33ef5041b91c565d62d9d8379d6554144b41290df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FC8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3069.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/916-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/916-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/916-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/916-22-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2172-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2172-11-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2380-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2380-4-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2380-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2744-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-468-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-38-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2744-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download