ramnit | 706163c3c270c14b8e783e2a924525363e61baeac9d3a02392c735805607e901

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
Size

52KB
MD5

5846673d916f334ac8bae7c1c3120382
SHA1

bf7141db141fa11f73ecc5115196eecb611b24e7
SHA256

706163c3c270c14b8e783e2a924525363e61baeac9d3a02392c735805607e901
SHA512

c4b0459dc35c3dc101ee85367a8f69fb8fd0e51cf7445bf11b32c12dd158479d8d796ab615d765b36072179685a996fe400bd6d6acca175788c718ca1f02a519
SSDEEP

1536:43j72srzVRv7Kf4AH+pdcDJVoYMeKTn1:wusXjTuoaD6eK71

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 1 IoCs

pid	Process
2892	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1096-2-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1096-3-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1096-12-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2892-18-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2892-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px7D4B.tmp	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444336039"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FF64671-DE6C-11EF-A641-5E10E05FA61A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2892	DesktopLayer.exe
2892	DesktopLayer.exe
2892	DesktopLayer.exe
2892	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2856	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2856	iexplore.exe
2856	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
2892	DesktopLayer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2892	1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe	30
PID 1096 wrote to memory of 2892	1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe	30
PID 1096 wrote to memory of 2892	1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe	30
PID 1096 wrote to memory of 2892	1096	JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe	30
PID 2892 wrote to memory of 2856	2892	DesktopLayer.exe	31
PID 2892 wrote to memory of 2856	2892	DesktopLayer.exe	31
PID 2892 wrote to memory of 2856	2892	DesktopLayer.exe	31
PID 2892 wrote to memory of 2856	2892	DesktopLayer.exe	31
PID 2856 wrote to memory of 2712	2856	iexplore.exe	32
PID 2856 wrote to memory of 2712	2856	iexplore.exe	32
PID 2856 wrote to memory of 2712	2856	iexplore.exe	32
PID 2856 wrote to memory of 2712	2856	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5846673d916f334ac8bae7c1c3120382.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98c77770c0ca34b2832ffdd036979591

SHA1
9ce45f79c360b463c5eb7257a93a32db093625c1

SHA256
458984b415a7e0b82dc2cacf7905c5e6610ee6b1353ed17c96ab5a9d2a6102ac

SHA512
577f6006ba8ed9e477d0a68636fbf622dd7e69afcf153c8a957e99cce824622d249187f8eca5420dd3aa827a1a1addfd33608e01e5b642f6794dee0ae7cff7c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3dccb286567e5a9e27469c40f983b62

SHA1
56a7dfd27bc15abfe45044637219e30bb1392a81

SHA256
c88f41ab03a522ea9c76c365b7118ef04fb2eb4f16e02a0c78a83aa86e906366

SHA512
9dee41102f443f9a8a5a7f72992a2b92866631978966982a84fe7289758bc96ba8150a98580a114ec0f3445f42492a48bce8f4e3d3c1383ebf5d074b4b5230c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cd4f3f839e8c72a4ed5c9f8ef84c830

SHA1
97ccb07c9aa402fae389f509eb6f01492e083ed1

SHA256
6b0e8efad13d23f4e6d864429d5363bde5fe93f27509b1a58096504293d58ff1

SHA512
a8b4119ac13cc460f822034d55ae3d9f5215b0cb8a76b4eda92469f02dbfc59fa9603357c222e65750b7e78e7e2d37a09cfc9881bcc1d5b312894d5bfde00b60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d0e2ba3725ea5e9c7e78979ed938cdf

SHA1
677b886bf12a2497823ffa3b962f958bfa564fc3

SHA256
1f9c83c15745b814139270915e3448f9bd198611612f7ec7f46aa25b851fe945

SHA512
dc0dca385b39a732497c14e431ae0fb16a297417a6faca094ac57130e4e1810c6694722bb04b53341ee678f02ab64f69a9bf5a6be392754f980b45c679ce9e29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90946027782d5527c836145c239b3b1

SHA1
19f5d91d88d9fc4243ad4744b47e736d719f7dd9

SHA256
74489caeb11481cf8b60f65ce7f26cd575bdf41401042dc9dee4c9bdce498381

SHA512
1a67d2f26f36f874a91359039ce6275770e367934775f6600763eb5222a5ae0fd3c7837e891510c729c92ea32180cbb8d7e45bd7a19dbdba26463ae4a0c1ecae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d72964cd1b16105815015fbd4c1fb521

SHA1
020ca8c9727069a79511c2f7d0e64c8ff735d479

SHA256
6cd41b75571d8439ad3a65506d68f856ebf78c3d6a64cbd8a618421399d5d5c9

SHA512
3b556f0d70e2ab85900780f6318324401db3175b21abbf0b37b740fa1394550f1c6e953afa9c0fbfbd0e2923056be8b80f87117ce9ef091c2dd3f63047d78688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac747ba090e94ca4cbd14552302e5aaf

SHA1
4ccc5f4ac4af7cf7ba9509e122665f23b1118e48

SHA256
0ae7f924597838a2c547e532179590ab42375bcde76056fcb5383d1f054218a5

SHA512
c5e51d493e219093952c3b629c8c4d3b61a80c88a7d737cf9081f95ec781a8fc00f865a82acff59f7d5d91d0c3407cfee76f834b01d3866290d8680beb52f893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ea482580a6a63ec5574b3c0a5a61340

SHA1
e9d718cb936acb413463f3b73361cb59e07eaff1

SHA256
1d4689c99e6373897c696f96d4ef463ac6a6ac693de16cee0623fc18eea323eb

SHA512
89d5b7219d42afaaac1893a708f435369a6b13ede8e4d6a1d7c3978754a2b0b06a0a0f37293c50b4af4f35c9cfd7d6b111fd678842c1fdb68a294967b92abaa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a3a2869540918a2ed781fb5715ccec3

SHA1
99e79ed5967b8fc8ca411ed6c2820bab8a113232

SHA256
5ad8aad29ee00be2c0fc654b9e14750674167977c881e6fb520b6e0805afb619

SHA512
03c05ca7bbbe087ad6408508d9f1aed53ff06a7cc7100356bd02602b05b8722298ab5980ff1b6b4a658abf64b1450519a21bf340011ad9bf19e60d638a94a18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10c465cab1814a03d696d0b2d24e7a3

SHA1
7cf9a70fa83dc940a521de5c6fda9a5c3ca41cd2

SHA256
cde9ad4566c9ddd10805efd8c587945a923db56cc04566be648f98ae7ed07a53

SHA512
b6aff5a0d40634cbca98acaccdcae3b2a638efb30aab4a88c437ab4e9886ab3182c3bc51c9eabbf6395c05c52608979d6aa0ac72fa8badabb05730670ef38d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce7cab374489c5376afd0f9b9686fc16

SHA1
a4e1826986596e1d073a7db89813c75b67eccad6

SHA256
94b1f86fe1d0d4610d0e0c6dd1a8c8b1725af888343ac76b6392d3a1be805f4b

SHA512
ce15350424ed3d1735ffabf9661560f0ecd6a54a8bf5946862df4c0dfdcabba8d7695fec330746a9ba123b386354c71120074a842bb0734244e881efad9f1dce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5434609457e04614e9d83a4adb06238

SHA1
608f1b0cf68eb698b9741e01fa0611456e3d192c

SHA256
9eebc3f4c0b5969a3f8564e0e52f7031ad14efb2944ece4c3af1912d6f348c40

SHA512
e8255680a0b108b370c86530af5c6b8fd6e7b69dea97ce5177b45283c41e2d2ad1fd82cbe71b4becc1fc8364b1479873e6a2f3512703cdf02f21c3a53b50b5eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
558da784df342d17292eccaa7203fa4d

SHA1
0982c849b39c40ccbdc73c4f2ea16de784eb4c2e

SHA256
7bfaf7df36540feb6644d24025020baf3d841ea382432b28944a6f18f7d4264d

SHA512
a0e1510e83ebd6e68bc2ac336acd2aecb70023da270d271b8d5a45522d2de5f95c14615465494ee3ebdb30e9298e40809bacef3876e9c1e4c375f956c4c7ae77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
287b76ef666c72a36b7de658bb62d194

SHA1
b47e1c4a573201fe9ec56e4a6c513b0e24e48760

SHA256
fb12c5dd81c9ba487b1071045b8e44f77c2ef681ad06ca20475fd31ceb0dacb0

SHA512
82cbe74db9b35c6b477ee4c94c360b50372501a6bd2556b83081a8a828585f6b70ac02103856c58b65b1b31d43f70396b7d3a88ceae8666605de37071b42c5cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42ac27f6e1a9593b519bf2772453c017

SHA1
e65be9f1feea5ca4b55d8faba5b10ab2085667e6

SHA256
8eb8fa903f6400c4edb3605f3ed614fb7bc1d45aaf58c21ca66eba42089fd3ee

SHA512
bc26a742a8447559c748c5196d35bd18d26e7501395547b6ef534356844c28b147879f75e1163cce534aa5a802bdc64e6e3644667277d63f6fdbfad750b97a47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ff670478adf08f1eb9d2f23a08c15d2

SHA1
3781a14746c8973de7586955ec6f61660c9b97bd

SHA256
8bdbf790335183d26aa618d8f01308c8b634af620cb7df698bfa5c6a042f0638

SHA512
e0ee02ced5ac20dd11a981fb04a5f746950d569ebf91b7d3d9c93e280266523a726d74940ee336ce14dbea29af703e425824bfc3dad00691f29df34befd05f31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
092812680474f28e87e3cb70c67883a0

SHA1
03927536974ef1111cd18d0b0c3574303cbac298

SHA256
a10c4b0e45fc0928d446bd3de7e2c2146b820be2c2cb1d562020f94f6bac2768

SHA512
32b238f537571c088650f085db988fcd9735e6f861c3f803433467063528f7aa4b2d303d5492d85ddac473fc34105efec342ff016f48c8c97a072e18801ba67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcee16afd40d8835eba4b9f6e48381f3

SHA1
27fa77911bf665eeccd9f80da1ffe2d991752e8b

SHA256
3e6d0cb6cd7a1e23782bf81f1f1eab31d93e81a3a5ffe4fe54e574c5887fcbea

SHA512
b7b21fe74b6c7d195faaa9a88bd3b67c6ac00677285b6f6c93abc2567811cafa0e2d75cc04c2bf22b36e19c03237d6a4d378f396df3df7a1e65f506de1f3a131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac0e4290c69fbf5fc08de59048c22737

SHA1
1366812a8c22e01b9f037bb4c9ee662fbab1e3c2

SHA256
22dfd1651fa9894f2b11ce360b8aeb684d41eb0a6fb47f2fc2c3987b6aca6093

SHA512
fb30f91f7311c4724dd258b551341c96c7f0e299817fb71d88115686781d722741a2556f45b62018d61fe47674308da9744f0091e457550431074e8c452bdc70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c66cdb7ad9696a0cb469803f6aae8f4

SHA1
8e54fb0c23df5dc1308dc0e0e6ac90f3f1bedb25

SHA256
f1951ae3165b162c0635c0dbd1033709cd0223d3fe8308fe127212eeb4e9531a

SHA512
9cf26d0bdf4d4a898c9fc8999898e48b202db5f1c7515d191c89a5d1391055486461fa31d71114931616363a67a4de425796c628ec169f7d84ca17a8eb2748b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d12a8bf6e6f73d76c54aaf0729a9bf0

SHA1
c4e6463e9176bd16931e5450aefff7e7eccb4aa2

SHA256
5f7c300424d7740553163fa42f2343fcb91c1f226eebe66f89217e5e475e76b6

SHA512
5097ca810a3c66ac152e3811d046e1ce0a86eab7adc0561aa74f587130f366741268e87517ff48ccc502f359abbfb8050d3d71e83b8c2c04bd969cde0c7cc7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab935D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar93BD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
5846673d916f334ac8bae7c1c3120382

SHA1
bf7141db141fa11f73ecc5115196eecb611b24e7

SHA256
706163c3c270c14b8e783e2a924525363e61baeac9d3a02392c735805607e901

SHA512
c4b0459dc35c3dc101ee85367a8f69fb8fd0e51cf7445bf11b32c12dd158479d8d796ab615d765b36072179685a996fe400bd6d6acca175788c718ca1f02a519

Download Submit
memory/1096-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1096-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1096-1-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1096-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1096-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2892-14-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2892-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2892-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2892-19-0x00000000770CF000-0x00000000770D0000-memory.dmp

Filesize
4KB

Download
memory/2892-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download