gh0strat | a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

Resubmissions

24-11-2024 12:07

241124-pat21syme1 10

24-11-2024 12:04

241124-n8pphsylht 10

Analysis

max time kernel
140s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
Size

328KB
MD5

547b878574ddb23538a8d3409ce702b0
SHA1

ede7adac69f17ed846624c8942e5bdf5a737b164
SHA256

a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78
SHA512

966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90
SSDEEP

6144:4eKKtlCCp1fBpzhhh2KNZbBKKKrx90J8GtiU67+arHM:hlBpBBpcKwnON6Cars

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/1704-0-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/1704-5-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/1704-10-0x00000000003B0000-0x00000000003DE000-memory.dmp	family_gh0strat
behavioral1/memory/2128-37-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/2128-43-0x0000000000320000-0x000000000034E000-memory.dmp	family_gh0strat
behavioral1/memory/1704-47-0x00000000003B0000-0x00000000003DE000-memory.dmp	family_gh0strat
behavioral1/memory/1704-42-0x0000000010000000-0x0000000010024000-memory.dmp	family_gh0strat
behavioral1/memory/2128-133-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat
behavioral1/memory/1704-463-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
1776	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
1336	DesktopLayer.exe
2128	Ysgmkcc.exe
2636	YsgmkccSrv.exe
1972	Ysgmkcc.exe
2960	YsgmkccSrv.exe
1092	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
1776	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
2128	Ysgmkcc.exe
1972	Ysgmkcc.exe
2960	YsgmkccSrv.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3CFFF033-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3CFFF034-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3C22905C-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C229051-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CFFF031-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C229051-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3C229053-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CFFF031-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C229051-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3CFFF031-AA5C-11EF-9C49-4E0B11BE40FD}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012119-6.dat	upx
behavioral1/memory/1776-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1776-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1336-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1776-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1336-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1336-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1336-30-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2636-45-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2636-49-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2960-150-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxBE21.tmp	YsgmkccSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC3CC.tmp	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	YsgmkccSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxBBEF.tmp	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe	Ysgmkcc.exe
File created	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
File opened for modification	C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YsgmkccSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ysgmkcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438611727"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BD1A191-AA5C-11EF-9C49-4E0B11BE40FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "4"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "4"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070b00000018000c0004001900f30000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "4"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070b00000018000c0004001a000101	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000000000000f000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070b00000018000c0004001b00e302	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 09000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
1336	DesktopLayer.exe
2128	Ysgmkcc.exe
2128	Ysgmkcc.exe
2636	YsgmkccSrv.exe
2636	YsgmkccSrv.exe
2636	YsgmkccSrv.exe
2636	YsgmkccSrv.exe
1972	Ysgmkcc.exe
1972	Ysgmkcc.exe
1092	DesktopLayer.exe
1092	DesktopLayer.exe
1092	DesktopLayer.exe
1092	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2384	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
2608	iexplore.exe
1968	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2384	iexplore.exe
2384	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2608	iexplore.exe
2608	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
1968	iexplore.exe
1968	iexplore.exe
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1776	1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1704 wrote to memory of 1776	1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1704 wrote to memory of 1776	1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1704 wrote to memory of 1776	1704	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe	30
PID 1776 wrote to memory of 1336	1776	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 1776 wrote to memory of 1336	1776	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 1776 wrote to memory of 1336	1776	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 1776 wrote to memory of 1336	1776	a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe	31
PID 1336 wrote to memory of 2384	1336	DesktopLayer.exe	32
PID 1336 wrote to memory of 2384	1336	DesktopLayer.exe	32
PID 1336 wrote to memory of 2384	1336	DesktopLayer.exe	32
PID 1336 wrote to memory of 2384	1336	DesktopLayer.exe	32
PID 2384 wrote to memory of 2876	2384	iexplore.exe	34
PID 2384 wrote to memory of 2876	2384	iexplore.exe	34
PID 2384 wrote to memory of 2876	2384	iexplore.exe	34
PID 2384 wrote to memory of 2876	2384	iexplore.exe	34
PID 2128 wrote to memory of 2636	2128	Ysgmkcc.exe	35
PID 2128 wrote to memory of 2636	2128	Ysgmkcc.exe	35
PID 2128 wrote to memory of 2636	2128	Ysgmkcc.exe	35
PID 2128 wrote to memory of 2636	2128	Ysgmkcc.exe	35
PID 2636 wrote to memory of 2608	2636	YsgmkccSrv.exe	36
PID 2636 wrote to memory of 2608	2636	YsgmkccSrv.exe	36
PID 2636 wrote to memory of 2608	2636	YsgmkccSrv.exe	36
PID 2636 wrote to memory of 2608	2636	YsgmkccSrv.exe	36
PID 2608 wrote to memory of 2644	2608	iexplore.exe	37
PID 2608 wrote to memory of 2644	2608	iexplore.exe	37
PID 2608 wrote to memory of 2644	2608	iexplore.exe	37
PID 2608 wrote to memory of 2948	2608	iexplore.exe	38
PID 2608 wrote to memory of 2948	2608	iexplore.exe	38
PID 2608 wrote to memory of 2948	2608	iexplore.exe	38
PID 2608 wrote to memory of 2948	2608	iexplore.exe	38
PID 2128 wrote to memory of 1972	2128	Ysgmkcc.exe	39
PID 2128 wrote to memory of 1972	2128	Ysgmkcc.exe	39
PID 2128 wrote to memory of 1972	2128	Ysgmkcc.exe	39
PID 2128 wrote to memory of 1972	2128	Ysgmkcc.exe	39
PID 1972 wrote to memory of 2960	1972	Ysgmkcc.exe	40
PID 1972 wrote to memory of 2960	1972	Ysgmkcc.exe	40
PID 1972 wrote to memory of 2960	1972	Ysgmkcc.exe	40
PID 1972 wrote to memory of 2960	1972	Ysgmkcc.exe	40
PID 2960 wrote to memory of 1092	2960	YsgmkccSrv.exe	41
PID 2960 wrote to memory of 1092	2960	YsgmkccSrv.exe	41
PID 2960 wrote to memory of 1092	2960	YsgmkccSrv.exe	41
PID 2960 wrote to memory of 1092	2960	YsgmkccSrv.exe	41
PID 1092 wrote to memory of 1968	1092	DesktopLayer.exe	42
PID 1092 wrote to memory of 1968	1092	DesktopLayer.exe	42
PID 1092 wrote to memory of 1968	1092	DesktopLayer.exe	42
PID 1092 wrote to memory of 1968	1092	DesktopLayer.exe	42
PID 1968 wrote to memory of 2116	1968	iexplore.exe	43
PID 1968 wrote to memory of 2116	1968	iexplore.exe	43
PID 1968 wrote to memory of 2116	1968	iexplore.exe	43
PID 1968 wrote to memory of 2116	1968	iexplore.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe
"C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
  C:\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2876

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
"C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2644
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2948
- C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe
  "C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe
    "C:\Program Files (x86)\Microsoft Bdusbm\YsgmkccSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Bdusbm\Ysgmkcc.exe

Filesize
328KB

MD5
547b878574ddb23538a8d3409ce702b0

SHA1
ede7adac69f17ed846624c8942e5bdf5a737b164

SHA256
a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78

SHA512
966d6b8d7b91f2195e575ff175f718bf66de61830752e88d0f23956c4dbb9069e11002496bb5c31a21bb651687257994d0b28d7bae937fb46fb62f45bf055e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13cffc8cf87e758d1e28c5a62e08c8c4

SHA1
75368f8132821c0d21183741b92b9b8ff662bbab

SHA256
56dbe8924aa01abe6e432458f66b983a7c4bf76a3d52122e5a1f34edd358881d

SHA512
b82f13558ab95dde3d64966ed0bc5595b9abea8ed60eff2ae2ccada542446d963f9fb3e52121c1f81a946d838e32dd17435c114b6389fa8cc8f30e4ead61bd44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2c99e90b809f5bf326c66d19942ce82

SHA1
238ecf1c932a61af22283f16d6e6386d40e23ad8

SHA256
2bc5f982e65bd2d835c2f3125f2512d32ad56c3e1c5e405283c92580dbfb0c54

SHA512
0a19b91ae29d0ad4ded670a15c97ad5d0021c924e130dea10da5586ccc5ba6e3864f006d6835bf624189773b0cca83b55af2c1918ad6fafa1d2898004c5d863b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96490db52279cf8b6daa5538d5a63102

SHA1
42773eb9464966d1d86bb685e7c3e482c53d837b

SHA256
6bfd870db72909a49a8dbc1fee459deefcbb493c8040f603fd79bef0fb99dc4a

SHA512
5d6eb80d81a28f5e8b304c67d551a7990ff40ef9d970f62e33f1af34a1cb55fbe63302644aa2aef6ddc433b15da042035a550350907f49c762539381bcf92621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0ba4530ae91525ec0a13f60aedd2fac

SHA1
b4589f0191d3c3e15e932e09180f9d8d8ee6b17c

SHA256
e97f7c1d0b190415bec0ef9e72f6005096e13ff880933acbecbb1f501a3a6f27

SHA512
c65ef26c6cd2483b5021dc020949f9807c374fbb8e807e5590089499d8f681a28beec988afb87b77e6ffba980d293cc0eb41f43442c8d0065c5a150490981c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9288728299feefa320eaa682669b726

SHA1
4e5781244dffd9d9baf4467380f3a222ea6ef18e

SHA256
e7efd5121a8f530d6d669ca6e5374e6b802b5a3e232812f63a4386761792efeb

SHA512
5705da7fcdf30354dc78372391027ee08ea41921e956a9c6cb61298eb31aa9fc08c31741caadb56bed6f37c8220a7bb7f990ba0c1734a5231ba71b9495d6a2b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d62857ebab33d909c17195945c60f2e

SHA1
0568c41ed03a7fb4f2d79cd003313dc318382e41

SHA256
29ded77b0832bd29f1676367d9ef101a2de5da6a8fabc2d1608e0338d1efe256

SHA512
35623c6e2bed6d8e8dca1577e771d03c70c69853bc59ef31c2a8db8cf2a430dd38110e3e7a42be2cf868ee82a43274ce5785a2579c3cfc3c3dd6ffebf702905d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9776a3dd0c17551fed60b81c414f1574

SHA1
02a03b202df0acf3fcf6b29e3bc076304d5b8fef

SHA256
a251d59d21c2c8566d46e380979f930441b46fee1b9504ed374cfd6478b56ebf

SHA512
cd2df0bbe25ab6aec96a874bff6ee0e07d18bb3c4d66e3eecbe442edd381c9b6c201a38f9da5bfb34a993900b21ab31177fac4e2e3192c9a5d2fcad9a4b3e08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77baff8a8033691ccd086616c06c9c0e

SHA1
d73572b3fbebd710d49a8d85e1959c8b0e6bf6da

SHA256
3b3d58f4972b3312aa2df459c9d97e436178e413604f10295ec7a51f1b8650be

SHA512
05de2ddf9377a4521e30e3caaf7415f96d143344883b5f02fe9aabd1a0161e27aba15a9ece6319124874648125c0c896dc62d4488c40904f6e0d5277a26d2768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feb3ad1ecbd97cffb009b4abe2375c8d

SHA1
a1c43829368f678845b469010a7e3a878643b424

SHA256
90f5869b976e2f5ce195ff13060587bdc2c8dcc4c212d3ea29f0f8775e7ff0ed

SHA512
a79b5b6dff56d2c80e6354ce529038beb3711e404bb93a5dfd527191071de841bed0554c22e80429950ea4f1f9ed347a76e87561740a1b3c06dd7983c7df1a89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d13aad79583715e37ba576c4e590fc36

SHA1
01b1099313fb7f6aa5d45f95558c4fc65fb7eb99

SHA256
d82636a262a6dee1ddfef63c0bf922ef1554969f67f8b28da12faede09bd3b07

SHA512
cf2a585eca078f97bf740f5acc491f140d7d945ca82bbaed9f5bb174ccce4e361ba96628703bf551ef4243f2547e92093a0cbd40238c01c2ed89fff20ab9beff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e46f12863d42d92f5c185397e70e34f

SHA1
319d4631ffd30bb469e17ef5afcf5f3a824d4637

SHA256
c776e5aeb1af487f8db81366a72396f0a48cb4a7352e182ad675d9c0204e8417

SHA512
376cd4b1af01c3019279e9d9aa46bc95ed799887de5fb58eccca7f67ed6ceea7db9f4e013e4805ed82a09e10bfeafc8f911a1eff63db2a62aa4ce007558fd09f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d6a25665bd92cb8b0efae6267c08988

SHA1
ec1f48d900b005b7ad822d0b1d9432d98fee5041

SHA256
411542f263ebd44b30bde6d6c6ea39f9ecc9dc71a4b89f5820f687418a27c979

SHA512
7bebf123ffb90ebc9554cf1d8629ab67e37e57299613593d653694cbef17d805e838f9cfc9cc448ab672ad10afc4194d927f2fffb41414572bdc4f233d56eb49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaec0152c89d2c19d46152f0676166b0

SHA1
a08fcf3187a906b08a887d8429c56ee207f1e165

SHA256
6551da76db98578bdfd3138e965d2d099003e79946b56cfbc684cca6aa24700a

SHA512
3c5ae965d84e67015ec45f55027afb422514cea376ac1633d98620dcb00013535e636bfc5b2e7d3bf597fe884a5ac6f1860148892d2a36154c3bdcbf194b758f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
253f2d64565b36ec7e4e00d9892c6803

SHA1
e9a75f6cd42d0ec784dd596e6da172246e1a2f16

SHA256
7d463d21bc40617bad7e28f663451b9abb107174e006fe453e20cf0e338957f8

SHA512
5f367fe11b5d7b959cd1726907e51e8a29a382a2af89b8398f12d91a591b18224ec096b3f9e9cf5349a725c048645e7bab18ff3ad22c115fa7389320140e97b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c319402b0e04531e47ef508107dc9fce

SHA1
d461c3536008c03f201f84e7e474888e02f24aff

SHA256
413ff7f1e0f92d71be7bdf0bc99db3f6984739c9f764120f1ee481c3dcc08889

SHA512
5cbb9fc26742188ced38a238a43e7b923c614b62db0253acbe0cde31d5d3aaafa1af3ed1398d8acdbe57c7801ece80ca3ff10cdc065220d34485dd5eea7a166c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6810a8e19199ef2ea4fe395e8fda3838

SHA1
164257e6f75109b4e56a73f17e196a2377661aa9

SHA256
8214df6c683496fee236fc426032664623bc7ddce5bb8bcaa6b020a170f01f3e

SHA512
65a7a76102aa393318cf3929315c6842fd6bc67946dd9f78891e48fa326d8e7472d3190924345caab5e7397760ff50beb90351de132fe30166cc995c8d5b1df3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a75022404fa0efafeb45afe9d29172a

SHA1
2fc906b1eff7afafe9980b1a3b980602665f8924

SHA256
65a46ac8256beb4f4bf47f2f20eea1cb6a5d4b8c1fc2e1e85f31a689dd9dc88e

SHA512
f494f3e680b0137b694946377a586ad591e09d304dd2efce173212ab88d672ad281c39241afc70b6259bea652d74f4d3bd5e6d3d1bf957f5d943a2337191506d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03d8e50ac6a63081d44eb9483c6fb8e8

SHA1
c5c3fb02c4f7115da545a75bb2df038f42c90984

SHA256
af0f81d7e93f97098b925ff2b4e7194571e086736d547112a087aee3013a48de

SHA512
ed803a226c63f00d016319c96ccc88e0377421d9604ef73cacfd517c1349a4a5e8f3b401ee52b5d77d3f4d764e03cd0b1bb3d25b7dde7558c5b656d452b510ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6305e5d320bd7d6c24bfbb2822e819be

SHA1
b9cad77d4aca9a86d516610a9b0d355f39caff4b

SHA256
9a1b9f7b924e98ae90ec9e43c22efa86cf6950bb6868d16e90cdc36777754789

SHA512
e03afa5a48ee99c6304a4724d377e536304b1497c979e60961a62079167b2413a2c1fef6d3aa23cf414bd752895e3f413208b8264ea4723fd9869902d81266c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2c2032c0972fae13f284fdc6a492971

SHA1
f65ed5cb908a45d9b6fe35350675a303a3ddee7c

SHA256
841af53706589b1cb34740002d38e8ed8ad3d6fdee8bdf14e7bc44387c90cf14

SHA512
1644cc91a539a75ba16a58c5e4255ef5da6630d0e83bec0b6dfc02436a9a6fa4d75032ebc78ff44d094802faa6b63ff1613601261f45138d06d41f351aaa47b2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9dbc8f072b642b8adf069f83d9afd19

SHA1
2f623be5d6962f7dd90cdd3032f68b51f895118c

SHA256
fa078bc609a9a002383a64dd2be05ab802fa966e36ece326ce668c6db4d624e5

SHA512
e16d98df137afef0756bee8b8ae65dfad23343c53a07a16498f071924168ecc1f56012db9a8660c5512125def1d71d953a1cd65754ef229529522c040600c09a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e549ce1fb40f91007dec945ef23208

SHA1
aafa15d42ea196e2bce58fc7c02e015c2445407a

SHA256
931d52353d1dffbed74ca53e25447f6a3795e9cd3bcc4f9bf9f20f47b7b276a1

SHA512
54360a82f20ca7a57825d5a8fc34335b47d609232335ae1b7d0a12944c3717e9766fff415412917c53be50c8459d900355c93b4edc613e00a3780fbc178736c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f6bf5c994b3af9a2d129b8e775038d9

SHA1
0cc193a419119557b7c2b12a7ddf8c2c9d342a55

SHA256
78c43fda4f5d475791da0797d231c97c57d3529f00447365078ae60ea9a7b070

SHA512
ac973fce5d90c68a355998ed6c3f335da0a643f10acdb5076008bbb9dddb4c1e7b46705452bcb9da7ee42bd7a7dcddf6f1b1cf51d2381393b4668d45fc26c2a7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
147dd44b4614792e24dd48d907bf4ec2

SHA1
2671ebf7224764e04a1072d028cd0b81d667bda1

SHA256
23a5bfdc9b865d11ff88cd09ab4c08598655bd595648ff8cf3e40065f28e8f4d

SHA512
690296024c3902deb223f195b487c51817dea0cc01cdf617c2b2152772ca6266bb5d7147f89888070661ecc0243a3911ca8f67f0032b169e7ee7c530c54e077d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52a9732758899dcf9362a0c216f3824e

SHA1
d3f5ea4756f33c30cb090bf175e452e8dea39a4f

SHA256
cfcc29d96f7db0c9b91c7335328af688d80aecb927cad7042008e8f1ba8280cf

SHA512
f94ed67c13536845751c31bec3b1f51bf6df5f386bd990510e2eb0443bf8e7426eaaa291eec43c7dd6250b0683dbb497433360eecf29aaa05c5c38d5e6db159b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f401537ea7baa2d6947d57a78b4ce33

SHA1
58efe7717ab49c23cd02d44b95e80dca426e6acc

SHA256
031aef8eb5d980ce8d06fbd211ccaaae117985bb0109047fe8a04d42e6f8ed9e

SHA512
81344567da2784619029728230f3ec29bd5092b10907da84c082bae979b85d73640907182d708e24373666126f15ebf51947e8c29bd1971666f5667ef14e253b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c48d49d4e89b46f94237f3cd9f8d9cac

SHA1
a0fd3b47459ca993bf789dcec8e70fad93fded1d

SHA256
fbf91e943b9ecb77ed4691a4053f46f327872a8f44a8d3afb895c7fc766b6b79

SHA512
d5885e8664d1baa9923ce5a3b6a9ee1ee0dd6be08b10e9addd2d92440cbb63e83e9b6e6c4f2612a9b56fb959d09e126c4aea4398c4c57c67c899fe1f0fab8ca4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e45cf9710a838fe8741155124df5f202

SHA1
385dd06a39a7ad3aedc561a9fdb80d7a04415884

SHA256
339660ef73592c13612597b1d39bf604c9067b24c3fd921babacb2f68dcc261b

SHA512
30c391e0c6b619e69f7bffad6e7a815ea5109aaef3488a9497dea04d66a84b09fd7c8e9651f2aa8d46cabda319cac5e0b2746cd36f0d5127b40d9c354c402905

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f340547b8ff42e72d961335766d575d

SHA1
944b922890d6556b22510b708f3bf3e648d1c035

SHA256
8e7ad2cfcf422e008f23067c6cd39580fef8557f6b0f62f9614348f3f7ec36ed

SHA512
2e6f9bb75a83d65db6f5ab8389ed08bac2e6761eb5f332e82e7b2348c8afcf98fdbb004319c411cf33931408f38da22dff869d5ce474fbc29ffb6001cea0b1bc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e68fd34ca7ac940491df94102f916ea

SHA1
5033d5670cd5b57cd0bdb77605d9cf87b5aa7c1f

SHA256
ee3a978b48601d1219cfab7f8e26fe251625d1cf4498b18020db8c64e171a09a

SHA512
fe55912b558a8233f5b9edccd308445ef0f55b3cfb0cfc3cd51da082c1f22ce265bb1ebf18dc46e4a7c097e9fd996f10e42163634a62280fdd7279eb28b57ba5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98e03d675f46ffb92b9bea228c777e0a

SHA1
a7e9ef257b5e9480070f29b10258ed9f6a750631

SHA256
94a79fcb64a5e50a132c03d5c4fa38bb9de6ff3405dddec379e79f92c0d18a97

SHA512
4ccf7f74eed0197756a4438921cd28783163dc9e4610f14febb7a83ae5a366df0fc41f4499b60a23a56bc38a8e996949f9d60a3ff796bf5532f3cf334b05738d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3195132ad63e9079b00dc54a5122491c

SHA1
c9bd6546c72887933c3791c13745bd0655fcd03e

SHA256
cdb44d5a5408117d90b642e94be46a82832e53ee7b853a5b94a7d9ac7e87ed9d

SHA512
24669c8e566dba38fb013497b756ce79bf247991c545b24a82dd438d9ec9e9e2384fc70ce9b7068fbabfe7fc883828d01a2e82dbe3008180a0b1b36011ea92f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39fbe2d6d6fcef803886155a551ebd1b

SHA1
52ec39828cf30090c10999f993b556659e81aacb

SHA256
f035c22015f893a6d59eef59cab3fcc1793e472cabfd2534b4e61a984befe03a

SHA512
b570093bbd1fccce2bdeb2b8af8f223e54d3c37718e7649725f1ff2988e2e4c2f355ccec66dbd1ec8c7e78a5758d2376d5dc4bb8e4a3b761bd9ad59528fd8738

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b7f1d5214bc5402d8e23123f9160837c

SHA1
5eeb1968a721d21cfe73360d1bf738774597d4a5

SHA256
d93e0aabc6d6a2e8c2fb0f48eccbbc3612c67f972c50d5630fb2eb204b9daf13

SHA512
a9f76c0a27c1566dcd81599dc23576c13321fb9f13573f4bdb600b67fc4e4d4d87dda60a19d9fc58e0c51457bba777b2058c5e5f8dadbd07c87faaa5f49ad1a1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
282B

MD5
dd74e2fe22d5594e137db16b476dba8a

SHA1
ea87306a8488f58b874ed91af4367a613b996da1

SHA256
14ce9784828edd441bdad1eb1933bc9140e134aa08cc25af0983008ed273b3c7

SHA512
22ddb320e5218f831a0056443c530cb14ae9838dbaf19f5a96067ccab63fb2cc8b6ce5b1e5197759721bd6bee2d2f9067236d44e377c14859da756f013139089

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabD80D.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarD83F.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarDAF3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwBFC6.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwBFC7.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C229051-AA5C-11EF-9C49-4E0B11BE40FD}.dat

Filesize
5KB

MD5
5041b76c70765a07f8f774477092cacd

SHA1
239936b7241535e2075d5f7b27e36f4eb088c71f

SHA256
e6d4d4c389b5471f412fd5cda6b9891b8a89b7b5873cbbd835edef651b934b74

SHA512
06db77108033d69267c90431d4e31cd6994cdf93b2acb9a6a5baefbbe3931f87f8eaf42a35a5a0a615a52fdd9f9a51bb4af713eacf00ce33da8c6b6b0c303de6

Download Submit
\Users\Admin\AppData\Local\Temp\a200023b3ff5786e5e4d90ff8fb355a4bbbe052861871e29a361d2d04233da78Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1336-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1336-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1336-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1336-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1336-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1704-42-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1704-0-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1704-47-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/1704-5-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1704-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1704-10-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/1776-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1776-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1776-14-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1776-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2128-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-43-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/2636-49-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-46-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2636-45-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download