ramnit | b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 13:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
Size

136KB
MD5

3c3e24950cabd8dc10c1b64e6bb12a60
SHA1

b2383ce4f82f096d0c2fa17b6f32739b0569dcd9
SHA256

b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68
SHA512

45d543f57f312768bcca612420b458f64f0f2a380314693c41ba4bfedc825960a2a80380de5c391ce24706bfafa909c8076c0d49813a0adb44b58e49779e726c
SSDEEP

3072:wRo4mNx+6koApfx66SM8VjnsbByy+94xcej0Suopxegt52gf:2NW3koG/SM8VTIBBBpf3t52

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
856	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
320	DesktopLayer.exe
1968	elxplorerpwwvz.exe
964	elxplorerpwwvzSrv.exe
1784	DesktopLayer.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	upx
behavioral1/files/0x000500000000b2d2-57.dat	upx
behavioral1/files/0x000500000000b2d2-59.dat	upx
behavioral1/files/0x0009000000012324-60.dat	upx
behavioral1/memory/320-66-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0009000000012324-65.dat	upx
behavioral1/memory/856-63-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0009000000012324-62.dat	upx
behavioral1/memory/620-67-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/620-69-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/files/0x00070000000132e5-70.dat	upx
behavioral1/files/0x00070000000132e5-71.dat	upx
behavioral1/files/0x00070000000132e5-73.dat	upx
behavioral1/files/0x00070000000132fc-75.dat	upx
behavioral1/files/0x00070000000132fc-77.dat	upx
behavioral1/files/0x00070000000132e5-79.dat	upx
behavioral1/files/0x00070000000132fc-81.dat	upx
behavioral1/files/0x0009000000012324-82.dat	upx
behavioral1/memory/964-85-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0009000000012324-84.dat	upx
behavioral1/files/0x0009000000012324-87.dat	upx
behavioral1/memory/620-88-0x0000000003200000-0x000000000327F000-memory.dmp	upx
behavioral1/memory/1968-90-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/620-92-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1968	elxplorerpwwvz.exe

Loads dropped DLL 6 IoCs

pid	Process
620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
856	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
1968	elxplorerpwwvz.exe
964	elxplorerpwwvzSrv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	elxplorerpwwvzSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px639.tmp	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px69BC.tmp	elxplorerpwwvzSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB25E991-6F0F-11ED-BE8B-FAA138970F28} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376399862"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	DesktopLayer.exe
320	DesktopLayer.exe
320	DesktopLayer.exe
320	DesktopLayer.exe
620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1784	DesktopLayer.exe
1784	DesktopLayer.exe
1784	DesktopLayer.exe
1784	DesktopLayer.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe
1968	elxplorerpwwvz.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1908	iexplore.exe
1908	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1908	iexplore.exe
1908	iexplore.exe
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1908	iexplore.exe
1908	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 856	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	27
PID 620 wrote to memory of 856	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	27
PID 620 wrote to memory of 856	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	27
PID 620 wrote to memory of 856	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	27
PID 856 wrote to memory of 320	856	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe	28
PID 856 wrote to memory of 320	856	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe	28
PID 856 wrote to memory of 320	856	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe	28
PID 856 wrote to memory of 320	856	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe	28
PID 320 wrote to memory of 1908	320	DesktopLayer.exe	29
PID 320 wrote to memory of 1908	320	DesktopLayer.exe	29
PID 320 wrote to memory of 1908	320	DesktopLayer.exe	29
PID 320 wrote to memory of 1908	320	DesktopLayer.exe	29
PID 1908 wrote to memory of 1764	1908	iexplore.exe	31
PID 1908 wrote to memory of 1764	1908	iexplore.exe	31
PID 1908 wrote to memory of 1764	1908	iexplore.exe	31
PID 1908 wrote to memory of 1764	1908	iexplore.exe	31
PID 620 wrote to memory of 1968	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	33
PID 620 wrote to memory of 1968	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	33
PID 620 wrote to memory of 1968	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	33
PID 620 wrote to memory of 1968	620	b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe	33
PID 1968 wrote to memory of 964	1968	elxplorerpwwvz.exe	34
PID 1968 wrote to memory of 964	1968	elxplorerpwwvz.exe	34
PID 1968 wrote to memory of 964	1968	elxplorerpwwvz.exe	34
PID 1968 wrote to memory of 964	1968	elxplorerpwwvz.exe	34
PID 964 wrote to memory of 1784	964	elxplorerpwwvzSrv.exe	35
PID 964 wrote to memory of 1784	964	elxplorerpwwvzSrv.exe	35
PID 964 wrote to memory of 1784	964	elxplorerpwwvzSrv.exe	35
PID 964 wrote to memory of 1784	964	elxplorerpwwvzSrv.exe	35
PID 1784 wrote to memory of 2000	1784	DesktopLayer.exe	36
PID 1784 wrote to memory of 2000	1784	DesktopLayer.exe	36
PID 1784 wrote to memory of 2000	1784	DesktopLayer.exe	36
PID 1784 wrote to memory of 2000	1784	DesktopLayer.exe	36
PID 1908 wrote to memory of 1588	1908	iexplore.exe	37
PID 1908 wrote to memory of 1588	1908	iexplore.exe	37
PID 1908 wrote to memory of 1588	1908	iexplore.exe	37
PID 1908 wrote to memory of 1588	1908	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe
"C:\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
  C:\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1764
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:209934 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1588
- C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvz.exe
  "C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvz.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvzSrv.exe
    C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvzSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvz.exe

Filesize
2.1MB

MD5
67c1ac5eda69762995a5bd8a9d243e7f

SHA1
3825859da1b4edc8255e1fb4feda9d9b80cd0124

SHA256
b3510b4a637fea1a046857bd40c547ee8593985f6a26ff97643a4cae592f7278

SHA512
c12a956dd8494102e2ebbb58a305dcc68cf0721ea8fec0bae4711278eb67028decb5a62729c1b451c793f14403cd2539c73ed5e19fee563073b8b0f82ee38609

Download Submit
C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvz.exe

Filesize
2.1MB

MD5
67c1ac5eda69762995a5bd8a9d243e7f

SHA1
3825859da1b4edc8255e1fb4feda9d9b80cd0124

SHA256
b3510b4a637fea1a046857bd40c547ee8593985f6a26ff97643a4cae592f7278

SHA512
c12a956dd8494102e2ebbb58a305dcc68cf0721ea8fec0bae4711278eb67028decb5a62729c1b451c793f14403cd2539c73ed5e19fee563073b8b0f82ee38609

Download Submit
C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvzSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\elxplorerpwwvzSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpath.ini

Filesize
102B

MD5
ea92a4fa9d991a83a0c5d499fbab8ea6

SHA1
31f00f0c96264f7640b1ac4c51ee1c52b5892248

SHA256
7aa661f3d9cbe5f0ad4fe7855585bd1b867c1afe1e63445bf074a7b3760da6f9

SHA512
ae5816e3475126a51a056caf87f730ed3b8020828417798943523f90c31c77cc8e888bea401504bd9e7198b3195ba4bae65b921ac7117b822785c7b8dae0541c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AVCCDX19.txt

Filesize
607B

MD5
c0ef1eb73dfb3cdb9eb5eebcb9f67d2d

SHA1
497002e08c873a71de53851c317aa8688ad9f15b

SHA256
ae021a2a59183342d7f3b4c898627fd0345e9835fbd93de896001f02f09d0ebd

SHA512
893d718905e4cc253161affe65d74e1c5256a2f19956a1392ba5ff757fedb6730a7b4ce70d4e59c757e18751aa5c1b6974a26425325199e61a9e1eee9d0fb5e7

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\b809a1c08bd07d3cc716bd34fabbc7b476f14db60c30c79cd456cd55e7a39d68Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\elxplorerpwwvz.exe

Filesize
2.1MB

MD5
67c1ac5eda69762995a5bd8a9d243e7f

SHA1
3825859da1b4edc8255e1fb4feda9d9b80cd0124

SHA256
b3510b4a637fea1a046857bd40c547ee8593985f6a26ff97643a4cae592f7278

SHA512
c12a956dd8494102e2ebbb58a305dcc68cf0721ea8fec0bae4711278eb67028decb5a62729c1b451c793f14403cd2539c73ed5e19fee563073b8b0f82ee38609

Download Submit
\Users\Admin\AppData\Local\Temp\elxplorerpwwvz.exe

Filesize
2.1MB

MD5
67c1ac5eda69762995a5bd8a9d243e7f

SHA1
3825859da1b4edc8255e1fb4feda9d9b80cd0124

SHA256
b3510b4a637fea1a046857bd40c547ee8593985f6a26ff97643a4cae592f7278

SHA512
c12a956dd8494102e2ebbb58a305dcc68cf0721ea8fec0bae4711278eb67028decb5a62729c1b451c793f14403cd2539c73ed5e19fee563073b8b0f82ee38609

Download Submit
\Users\Admin\AppData\Local\Temp\elxplorerpwwvzSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/320-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/620-88-0x0000000003200000-0x000000000327F000-memory.dmp

Filesize
508KB

Download
memory/620-89-0x0000000003200000-0x000000000327F000-memory.dmp

Filesize
508KB

Download
memory/620-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/620-68-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/620-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/856-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/964-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1968-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1968-91-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download